Mozilla nss 2 years bug with OCSP checking .. that can be quite troublesome

May 26, 2008

PKI and cert signing is not such an easy subject, since most vendors do their own little “enhancements” or have a different interpretation of the standards. (Or there are still no standard to cover every possible occasion so they are becoming a bit creative).

[ Small sidenote: I will restrain myself from starting bitching about the PKI that you have to pay lots of $$$ to someone you just had a chance to put his root certificate in your browser … securely ].

So after a while when you are involved in PKI you start experiments what each software really does. I was trying to use OCSP with mozilla products, that according to their documentation supports it (unlikely some other big company that supports OCSP only through third party software). I had a test certificate thas was revoked, but when i was trying to check it with ocsp (viewing the certificate with firefox) i got an error message that the certificate could not be verified for unknown reasons. The reasons were known .. IT HAS BEEN REVOKED. So i started checking and rechecking all the configuration, but i couldn’t spot anything strange. So as a last resort i recompiled a debugging version of firefox and the corresponding libraries and fired gdb.

After a while (debugging such a big application on not such a  “state of the art” machine can be a quite lengthy task)  I realised that firefox got the right response from the ocsp daemon, but somehow it messed up the error message. I found the problem and i produced a small patch. Then i created a login account for the mozilla bugzilla to report .. and then … i found the bug .. it is there for almost 2 years .. and still it hasn’t been included in the main tree. $(#($#($_)#$ Anyhow the bug is this (after adding my $0.02 to the solution). I hope that in the next release of libnss this thing will be included .. it can save a lot of headaches to many people!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: