On Aug 11, 2014, at 3:58 PM, br...@consultbruce.com wrote: > On Monday, April 7, 2014 6:33:50 PM UTC-4, Kathleen Wilson wrote: >> All, >> >> >> >> We have been working on a new certificate verification library for >> >> Gecko, and would greatly appreciate it if you will test this new library >> >> and review the new code. >> >> >> >> Background >> >> >> >> NSS currently has two code paths for doing certificate verification. >> >> "Classic" verification has been used for verification of non-EV >> >> certificates, and libPKIX has been used for verification of EV >> >> certificates. >> >> >> >> As many of you are aware, the NSS team has wanted to replace the >> >> "classic" verification with libPKIX for a long time. However, the >> >> current libPKIX code was auto-translated from Java to C, and has proven >> >> to be very difficult to maintain and use. Therefore, Mozilla has created >> >> a new certificate verification library called mozilla::pkix. >> >> >> >> Request for Testing >> >> >> >> Replacing the certificate verification library can only be done after >> >> gaining sufficient confidence in the new code by having as many people >> >> and organizations test it as possible. >> >> >> >> We ask that all of you help us test this new library as described here: >> >> https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing >> >> >> >> Testing Window: The mozilla::pkix certificate verification library is >> >> available for testing now in Nightly Firefox builds. We ask that you >> >> test as soon as possible, and that you complete your testing before >> >> Firefox 31 exits the Aurora branch in June. >> >> (See https://wiki.mozilla.org/RapidRelease/Calendar) >> >> >> >> Request for Code Review >> >> >> >> The more people who code review the new code, the better. So we ask all >> >> of you C++ programmers out there to review the code and let us know if >> >> you see any potential issues. >> >> https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Code_Review >> >> >> >> >> >> We look forward to your help in testing and reviewing this new >> >> certificate verification library. >> >> >> >> Mozilla Security Engineering Team > > Yup - having a problem. Novell ZENworks optionally uses an internal CA and > with FF 31 I can no longer connect to the management console or any of the > other web services. I'll try turning off the new CA checker to see if that > works. I like the idea of better security, but you just pissed off a lot of > my customers.
Hey Bruce, It appears the Novell certs have run afoul of a couple of the new checks in mozilla::pkix. It should be noted that this is because they are violating the X.509/PKIX specifications, e.g., by setting an invalid version number. https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 https://bugzilla.mozilla.org/show_bug.cgi?id=1047177 https://bugzilla.mozilla.org/show_bug.cgi?id=1045973 We're looking at how we should adapt the verification process to deal with these. In the mean time, you can revert to classic validation by setting security.use_mozillapkix_verification to false. --Richard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
