In order to make OCSP-over-Proxies work, changes are required to the way
SSL is hooked into the Mozilla client applications, as I had outlined in
my previous posting.
While the code changes to PSM have not yet been reviewed, it seems to
work for me, I don't see any problems during my own testing.
To make sure my observation is right, I'd greatly appreciate your help
in testing the changes. Even if you can't test whether OCSP-over-Proxy
is working, it is very important for me to confirm the changes do not
introduce regressions when using SSL, be it https, imap+ssl, smtp+tls, etc.
I produced and uploaded a bunch of test builds. They are based on
yesterday's MOZILLA_1_8_BRANCH, so the base applications are a bit newer
than Firefox 1.5 / Thunderbird 1.5 / Seamonkey 1.0, but not as
experimental as the trunk of Mozilla client development.
There are builds of Firefox, Thunderbird and Semonkey for Linux, Mac OS
X and Win32 available. (All names are trademarks of their respective owners)
http://kuix.de/mozilla/ocspproxy/20060202/
Please feel free to provide feedback by private mail (kengert@), all
comments are highly welcome.
Thanks and Regards,
Kai
Kai Engert wrote:
As of today, OCSP in NSS does not work from within an environment that
requires the use of a proxy server to access the OCSP responder server.
Instead of extending NSS' internal HTTP client with support for proxies,
we are working on a mechanism that allows a client application to do
HTTP communication on behalf of NSS.
This strategy seems reasonable, as Mozilla applications already come
with functionality to access various kinds of proxies, including
configuration and authentication.
A callback API is currently being specified and its draft can be found
in the patches attached to:
https://bugzilla.mozilla.org/show_bug.cgi?id=152426
If you'd like to add support for HTTP proxies in your own NSS
application, you will be able to provide your own implementation of the
callback API, possibly as a thin layer to some other HTTP library of
your choice? I found a list of some other libraries here:
http://curl.haxx.se/libcurl/competitors.html
We plan to provide documentation on how to make use of the new HTTP
callback API on this wiki page:
http://developer.mozilla.org/en/docs/HTTP_Delegation
In order to implement this callback API in Mozilla client applications
(Firefox/Thunderbird/Seamonkey), changes are required to PSM and the way
it does SSL. You can track the work here:
https://bugzilla.mozilla.org/show_bug.cgi?id=111384
There are text attachments that explain the changes in more detail.
Did you produce an application that includes not just NSS, but also PSM
and it's additional SSL layering? If your own application using PSM is
not yet a multithreaded application, be warned that a future version of
PSM will require the use of additional threads.
Kai
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
