summaryrefslogtreecommitdiffstats
path: root/net/cert/cert_verify_proc_nss.cc
diff options
context:
space:
mode:
Diffstat (limited to 'net/cert/cert_verify_proc_nss.cc')
-rw-r--r--net/cert/cert_verify_proc_nss.cc29
1 files changed, 0 insertions, 29 deletions
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index 120f091..f63297e 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -162,10 +162,6 @@ CertStatus MapCertErrorToCertStatus(int err) {
void GetCertChainInfo(CERTCertList* cert_list,
CERTCertificate* root_cert,
CertVerifyResult* verify_result) {
- // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the
- // NSS version currently in use:
- // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)
- // 2. use ident libnss3.so* for the library's version
DCHECK(cert_list);
CERTCertificate* verified_cert = NULL;
@@ -367,31 +363,6 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
bool use_crl = check_revocation;
bool use_ocsp = check_revocation;
- // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.
- // 1. NSS may use one key to verify a CRL signed with another key,
- // incorrectly concluding that the CRL's signature is invalid.
- // Hopefully this bug will be fixed in NSS 3.12.9.
- // 2. NSS considers all certificates issued by the CA as revoked when it
- // receives a CRL with an invalid signature. This overly strict policy
- // has been relaxed in NSS 3.12.7. See
- // https://bugzilla.mozilla.org/show_bug.cgi?id=562542.
- // So we have to turn off CRL checking for these CAs. See
- // http://crbug.com/55695.
- static const char* const kMultipleKeyCA[] = {
- "CN=Microsoft Secure Server Authority,"
- "DC=redmond,DC=corp,DC=microsoft,DC=com",
- "CN=Microsoft Secure Server Authority",
- };
-
- if (!NSS_VersionCheck("3.12.7")) {
- for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) {
- if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) {
- use_crl = false;
- break;
- }
- }
- }
-
PRUint64 revocation_method_flags =
CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
CERT_REV_M_ALLOW_NETWORK_FETCHING |
generated by cgit v1.1 at 2025-01-07 22:30:23 +0000