Comment 27 for bug 741528


this code path is executed each time we do a handshake with any SSL server.

However, the test starts with a simple string comparison.
If the issuer name is not matching, then all remaining code is skipped.

This alone eliminates the risk for all CAs that are not connected to this issue.

If the issuer name matches, we will compare certificate serial numbers, of the server cert, against our blacklist.

The rest of the code is skipping initial zeros, and looping through our blacklist, then a final memory comparison.

This isn't risky code, no memory allocation etc., but simple iteration, looping and comparison, and code review shows we carefully deal with boundaries. I don't see risks for side effects.

I made it easy for testing.
We received a test certificate, that I installed on a server, and that we will keep around for testing the QA candidate, and longer.

The test instructions are described in comment 8.

In my opinion, the only work that needs to be repeated, if you want to: Test that you can still connect to a variety of https/SSL sites.

If you still can connect, and are not being blocked, all is fine.