What information should nsISSLStatus expose

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

What information should nsISSLStatus expose

Tom Schuster
Hello!

I am changing nsISSLStatus right now in Bug 886752 [1
]  and adding the SSL/TLS protocol version as a property on nsISSLStatus.
Because this information is cached, changing the interface invalidates the
cache for encrypted pages, which shouldn't be done too often.

I am adding the NSS cipher-suite to the information that is cached, which
allows us to easily access all the information that is saved in
SSLCipherSuiteInfo [2]. Right now SSLStatus has three getters, which map to
the following fields in that struct:

keyLength: symKeyBits
secreyKeyLength: effectiveKeyBits
cipherName: cipherSuiteName

All of those seem badly named. We should probably add new and more
descriptive getters. What else should be exposed?

SSLChannelInfo has the two fields authKeyBits and keaKeyBits, are those
important?

-Tom

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=886752
[2]
http://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/sslt.h?from=SSLCipherSuiteInfo&case=true#162
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: What information should nsISSLStatus expose

Martin Thomson
On 2014-10-21, at 22:20, Tom Schuster <[hidden email]> wrote:

> All of those seem badly named. We should probably add new and more
> descriptive getters. What else should be exposed?

“Should” or “should not" depends on what needs to be consumed, and where.

What’s your reasoning for adding the extra information?

> SSLChannelInfo has the two fields authKeyBits and keaKeyBits, are those
> important?

I’d say so, but it depends on context.  For example, we might need to check that key exchange meets some minimum strength level before we proceed with a false start (for example).
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security