зеркало из https://github.com/mozilla/gecko-dev.git
153dbb37e5
Due to design constraints, it is difficult for osclientcerts to properly indicate whether or not each known key supports RSA-PSS. Ideally such a determination would be made close to when a particular key is going to be used, but due to the design of PKCS#11 and NSS' tight coupling to it, osclientcerts would have to make this determination when searching for all known keys, which has been shown to be prohibitively slow on Windows and results in unexpected dialogs on macOS. Thus, previously osclientcerts simply assumed all RSA keys supported RSA-PSS. This has resulted in handshake failures when a server indicates that it accepts RSA-PSS signatures. This patch instead makes RSA-PSS support configurable via a pref (security.osclientcerts.assume_rsa_pss_support). If the pref is true, osclientcerts assumes all RSA keys support RSA-PSS. If it is false, it assumes no RSA keys support RSA-PSS. Differential Revision: https://phabricator.services.mozilla.com/D175966 |
||
|---|---|---|
| .. | ||
| tests/gtest | ||
| CRLiteTimestamp.h | ||
| CertVerifier.cpp | ||
| CertVerifier.h | ||
| ExtendedValidation.cpp | ||
| ExtendedValidation.h | ||
| NSSCertDBTrustDomain.cpp | ||
| NSSCertDBTrustDomain.h | ||
| OCSPCache.cpp | ||
| OCSPCache.h | ||
| TrustOverride-AppleGoogleDigiCertData.inc | ||
| TrustOverride-SymantecData.inc | ||
| TrustOverrideUtils.h | ||
| moz.build | ||