See also: https://bugzilla.mozilla.org/show_bug.cgi?id=435013
On 06/09/16 18:55, Paul Wouters wrote: > On Tue, 6 Sep 2016, Kyle Hamilton wrote: > >>> That seems unlikely to me (in that browsers don't really keep a server >>> cert database). >> >> Has that changed? I talked with Dan Veditz (at Mozilla) around 5 years >> ago regarding the fact that NSS had told me of duplicate serial numbers >> being issued by a single issuer, and that as a result Firefox had >> refused to permit me to connect to a site and also refused to allow me >> to examine the certificate or identify it issuer for myself. I had to >> use OpenSSL to get it. His action item at the time was to increase >> reportability of those issues to Mozilla, because (paraphrased from his >> words) "a CA issuing duplicate serial numbers is a violation of all of >> the specifications and we need to know about it, to figure out what else >> they're doing wrong". > > I recently ran into this when NSS rejected an IPsec client certificate > after a libreswan ipsec software upgrade. The upgrade replaced openswan > which used custom X.509 code and did not use NSS and it did accept the > certificate with duplicate serial number. > > For IPsec, a seperate non-system NSS store is used, so I don't know > how browsers handle this, but the NSS code is there to reject it _if_ > it encounters this. > > Paul -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
