Changes

[https://www.guru99.com/gecko-marionette-driver-selenium.html Gecko ] (and therefore Firefox) relies on [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] to implement various cryptographic functions. NSS consists of a collection of loosely-coupled libraries. libssl, for example, is the TLS implementation. NSS is a Mozilla project, but its development differs significantly from the rest of the tree. In fact, it has its own tree that is periodically imported wholesale into [https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/mozilla-centralmozilla-central]. The component that uses the NSS libraries in Firefox is a layer called [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/PSM PSM ] ("Personal Security Manager" or "Privacy and Security Module").

To enable secure TLS connections to the best of our ability, PSM implements a certificate verification callback. It performs a number of checks, but ultimately it must determine if it trusts a certificate presented by a peer. The approach PSM takes is to repeatedly build a potential path to a [https://en.wikipedia.org/wiki/Trust_anchor trust anchor], validate the potential path, and either return that path if it validates correctly or find another potential path. [https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ mozilla::pkix ] is a C++ library that provides a framework to implement this approach.