Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
Jump to navigation
Jump to search
m
→Behavior Changes
| Line 75: | Line 75: | ||
Mozilla::pkix includes some changes in support of current best practices and policies, as listed below. If you notice an issue due to any of these changes, please feel free to [https://groups.google.com/d/msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwUJ let us know]. However, we believe that in most cases, the simplest resolution will be to update the SSL certificate in your webserver. | Mozilla::pkix includes some changes in support of current best practices and policies, as listed below. If you notice an issue due to any of these changes, please feel free to [https://groups.google.com/d/msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwUJ let us know]. However, we believe that in most cases, the simplest resolution will be to update the SSL certificate in your webserver. | ||
# End-entity certificates used in TLS servers: | # End-entity certificates used in TLS servers: | ||
# | #* Are not allowed to have basic constraints asserting isCA=TRUE. | ||
# | #* When the EKU extension is specified, must assert the serverAuth bit. | ||
# | #* Are no longer allowed to include the OCSPSigning EKU. | ||
# Mozilla::pkix does not allow x509 version 2 certificates in any position (root, intermediate or End-Entity (EE)) and version 1 certificates are only allowed as trust anchors. {{Bug|969188}} | # Mozilla::pkix does not allow x509 version 2 certificates in any position (root, intermediate or End-Entity (EE)) and version 1 certificates are only allowed as trust anchors. {{Bug|969188}} | ||
# Version 3 certificates used as trust anchors or intermediates are now required to have the basic constraints extention and assert the isCA bit. | # Version 3 certificates used as trust anchors or intermediates are now required to have the basic constraints extention and assert the isCA bit. | ||