Confirmed users, Administrators
5,526
edits
SecurityEngineering/Certificate Verification: Difference between revisions
Jump to navigation
Jump to search
m
SecurityEngineering/Certificate Verification (view source)
Revision as of 18:30, 21 October 2019
, 21 October 2019Added links to further background info
(add note that the NSS-specific libraries don't affect Firefox) |
m (Added links to further background info) |
||
| Line 1: | Line 1: | ||
== Background == | == Background == | ||
Gecko (and therefore Firefox) relies on NSS to implement various cryptographic functions. NSS consists of a collection of loosely-coupled libraries. libssl, for example, is the TLS implementation. NSS is a Mozilla project, but its development differs significantly from the rest of the tree. In fact, it has its own tree that is periodically imported wholesale into mozilla-central. The component that uses the NSS libraries in Firefox is a layer called PSM ("Personal Security Manager" or "Privacy and Security Module"). | [https://www.guru99.com/gecko-marionette-driver-selenium.html Gecko] (and therefore Firefox) relies on [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] to implement various cryptographic functions. NSS consists of a collection of loosely-coupled libraries. libssl, for example, is the TLS implementation. NSS is a Mozilla project, but its development differs significantly from the rest of the tree. In fact, it has its own tree that is periodically imported wholesale into [https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/mozilla-central mozilla-central]. The component that uses the NSS libraries in Firefox is a layer called [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/PSM PSM] ("Personal Security Manager" or "Privacy and Security Module"). | ||
To enable secure TLS connections to the best of our ability, PSM implements a certificate verification callback. It performs a number of checks, but ultimately it must determine if it trusts a certificate presented by a peer. The approach PSM takes is to repeatedly build a potential path to a trust anchor, validate the potential path, and either return that path if it validates correctly or find another potential path. mozilla::pkix is a C++ library that provides a framework to implement this approach. | To enable secure TLS connections to the best of our ability, PSM implements a certificate verification callback. It performs a number of checks, but ultimately it must determine if it trusts a certificate presented by a peer. The approach PSM takes is to repeatedly build a potential path to a [https://en.wikipedia.org/wiki/Trust_anchor trust anchor], validate the potential path, and either return that path if it validates correctly or find another potential path. [https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ mozilla::pkix] is a C++ library that provides a framework to implement this approach. | ||
== mozilla::pkix == | == mozilla::pkix == | ||