Bug 683449 - Really remove the exemptions; r=kaie over irc GECKO70_2011083111_RELBRANCH CALENDAR_1_0b6_BUILD1 CALENDAR_1_0b6_BUILD2 CALENDAR_1_0b6_BUILD3 CALENDAR_1_0b6_BUILD4 CALENDAR_1_0b6_BUILD5 CALENDAR_1_0b6_RELEASE FENNEC_7_0b4_BUILD2 FENNEC_7_0b4_RELEASE FIREFOX_7_0b4_BUILD2 FIREFOX_7_0b4_RELEASE SEAMONKEY_2_4b1_BUILD1 SEAMONKEY_2_4b1_RELEASE THUNDERBIRD_7_0b2_BUILD2 THUNDERBIRD_7_0b2_RELEASE
authorEhsan Akhgari <ehsan@mozilla.com>
Fri, 02 Sep 2011 14:58:49 -0400
branchGECKO70_2011083111_RELBRANCH
changeset 73111 ff20a21364bb17b75f19b33fad6ce142e91f182f
parent 73110 be5822b6bccc672a4a0ca61c3c0994ae53cd0711
child 73119 009d652a22d3eafe6c7d30a7a31b1419cad5a3aa
push id1
push usersledru@mozilla.com
push dateThu, 04 Dec 2014 17:57:20 +0000
reviewerskaie
bugs683449
milestone7.0
Bug 683449 - Really remove the exemptions; r=kaie over irc
security/manager/ssl/src/nsNSSCallbacks.cpp
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1080,28 +1080,16 @@ PSM_SSL_BlacklistDigiNotar(CERTCertifica
   PRBool isDigiNotarIssuedCert = PR_FALSE;
 
   for (CERTCertListNode *node = CERT_LIST_HEAD(serverCertChain);
        !CERT_LIST_END(node, serverCertChain);
        node = CERT_LIST_NEXT(node)) {
     if (!node->cert->issuerName)
       continue;
 
-    // If it's one of the "Staat der Nederlanden Root"s, then don't blacklist.
-    // Compare names, and ensure it's a self-signed root.
-    if ((!strcmp(node->cert->issuerName,
-                "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ||
-         !strcmp(node->cert->issuerName,
-                "CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL")) &&
-        SECITEM_ItemsAreEqual(&node->cert->derIssuer,&node->cert->derSubject)
-        ) {
-      // keep as valid
-      return 0;
-    }
-
     if (strstr(node->cert->issuerName, "CN=DigiNotar")) {
       isDigiNotarIssuedCert = PR_TRUE;
     }
   }
 
   if (isDigiNotarIssuedCert) {
     // let's see if we want to worsen the error code to revoked.
     PRErrorCode revoked_code = PSM_SSL_DigiNotarTreatAsRevoked(serverCert, serverCertChain);