Confirmed users
563
edits
NSS OCSP Brainstorming: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
This page is meant as a place to share ideas about the behaviour of OCSP requests and caching in NSS. | This page is meant as a place to share ideas about the behaviour of OCSP requests and caching in NSS. | ||
==NSS' verification behaviour== | |||
NSS uses a global setting to have OCSP either enabled or disabled. | |||
What happens if code execution attempts to use OCSP to verify a certificate? | |||
NSS will: | |||
* open a connection to the OCSP server using HTTP | |||
* send a request, receive a response | |||
* verify the validity (signature, freshness) of a response | |||
Only after all of the above succeds then NSS will make use of the received response. | |||
In the past, if OCSP was enabled, and NSS considers a certificate for OCSP checking, NSS would strictly require a successful communication with a valid response as explained above. If there were any failure, NSS would have treated the the cert as invalid. | |||
NSS continues to offer this strict behavior and uses it by default. The mode is called ocspMode_FailureIsVerificationFailure. | |||
Starting with NSS 3.11.7 an application may globally set NSS' behavior to a relaxed mode called ocspMode_FailureIsNotAVerificationFailure. | |||
In the relaxed mode, OCSP communication will be attempted, but its success is optional. Any failure during the OCSP protocol or the response verification will be treated as "no response available" and cert verification will be limited to the other checks. | |||
In the relaxed mode, only a valid response that indicates a revoked certificate will cause NSS to reject a certificate. Such a response might be cached. Once information about a revoked certificate has been cached, NSS will reject the certificate. NSS might continue to ask an OCSP server about current certificate status, but an failure to obtain a valid response would not override the previously obtained revocation information. | |||
==NSS' internal OCSP Cache== | |||
==HTTP POST vs. HTTP GET== | |||
As of today NSS always uses HTTP POST when talking to OCSP servers. | |||
Using POST prevents caching of OCSP responses in proxy servers. | |||
It has been proposed that NSS shall support HTTP GET. | |||