User:Brahmana/Security PSM Docs

From MozillaWiki
Jump to: navigation, search

Abstract notes from IRC conversations and code browsing

  • There is a nsIBadCertListner2, which can be used to get notified every time a SSL cert validation fails. The failure can be because of various reasons.
    • nsIBadCertListener is probably obsolete and hence the corresponding file nsIBadCertListener.idl is an empty file.
  • An implementation of the nsIBadCertListner2 will become a listener and can be added as the notificationCallbacks to any channel for which you want to get the status of the cert validation.
    • If you are setting the notificationCallbacks attribute of the channel to an object of your implementation then make sure that you route the getInterface() calls for other interfaces not supported by your implementation to the default object. So basically cache the old value in your implementation and then route the calls to it.
  • The only function in this interface notifyBadCert(), get an nsISSLStatus object which has a reference to the X.509 certificate.
  • The same function gets a nsIInterfaceRequestor as the socket context which can give the host:port info.
  • There is a nsICertOverrideService which can be used to add a particular certificate to the exception list or to check whether the particular cert is present in an exception and so on.