Closed
Bug 1338228
Opened 7 years ago
Closed 7 years ago
Deprecate SHA-1 to 100% of Beta Users and 25% of Release Users
Categories
(Core :: Security: PSM, enhancement, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
People
(Reporter: jcj, Assigned: keeler)
References
()
Details
(Whiteboard: [psm-assigned])
Attachments
(3 files, 1 obsolete file)
|
2.16 KB,
patch
|
jcj
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
4.78 KB,
application/octet-stream
|
Details | |
|
8.66 KB,
application/x-xpinstall
|
Details |
Follow on to Bug 1328718 and Bug 1336616: Per the SHA-1 Shutoff Plan [1], we're going to update the system addon's Beta-channel test threshold to 100% for this coming week of 13 Feb. The goal would be to include this into Beta 7, so that it lands on 15 or 16 February 2017. [1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
|
Assignee | |
Comment 1•7 years ago
|
||
Attachment #8835675 -
Flags: review?(jjones)
|
Reporter | |
Comment 2•7 years ago
|
||
Comment on attachment 8835675 [details] [diff] [review] 1338228-disable-sha1-beta-100pct.diff Review of attachment 8835675 [details] [diff] [review]: ----------------------------------------------------------------- Everything is proceeding as I have foreseen.
Attachment #8835675 -
Flags: review?(jjones) → review+
|
|
Reporter | |
Comment 3•7 years ago
|
||
Per our request to release-drivers and gofaster for an accelerated schedule, let's go ahead and include 25% of Release users in this change. If we don't get approval to make that accelerated schedule, we need only ensure Gofaster doesn't push this one out to release.
Summary: Deprecate SHA-1 to 100% of Beta Users → Deprecate SHA-1 to 100% of Beta Users and 25% of Release Users
|
|
Assignee | |
Comment 4•7 years ago
|
||
It's over, SHA-1! I have the high ground!
Attachment #8835675 -
Attachment is obsolete: true
Attachment #8835728 -
Flags: review?(jjones)
|
|
Reporter | |
Comment 5•7 years ago
|
||
Comment on attachment 8835728 [details] [diff] [review] 1338228-disable-sha1-beta-100pct-release-25pct.diff Review of attachment 8835728 [details] [diff] [review]: ----------------------------------------------------------------- SHA-1 is going to need some serious upgrades after the sabering that's coming to it. Perhaps it'll need to be upgraded to... SHA-2.
Attachment #8835728 -
Flags: review?(jjones) → review+
|
|
Assignee | |
Comment 6•7 years ago
|
||
Jason, if you could sign this, that would be great. Thanks!
Flags: needinfo?(jthomas)
|
|
Assignee | |
Comment 8•7 years ago
|
||
Thanks!
Justin, using attachment 8835774 [details], could you please confirm that:
* security.pki.sha1_enforcement_level gets set to 3 100% of the time on beta/52 (given that the user hasn't opted out)
* security.pki.sha1_enforcement_level gets set to 3 25% of the time on release/51
Much appreciated!Flags: needinfo?(jwilliams)
|
|
Assignee | |
Comment 10•7 years ago
|
||
Comment on attachment 8835728 [details] [diff] [review] 1338228-disable-sha1-beta-100pct-release-25pct.diff Thanks! (adapted from bug 1336616 comment 9) Approval Request Comment [Feature/Bug causing the regression]: SHA-1 deprecation staged rollout [User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1 [Is this code covered by automated tests?]: n/a [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: QE done in comment 9 [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not very [Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718. [String changes made/needed]: none
Attachment #8835728 -
Flags: approval-mozilla-beta?
|
||
Comment 11•7 years ago
|
||
Comment on attachment 8835728 [details] [diff] [review] 1338228-disable-sha1-beta-100pct-release-25pct.diff next step of sha1 deprecation for beta52.
Attachment #8835728 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 12•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/3a0e9dab3864
status-firefox52:
--- → fixed
|
||
Comment 13•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/3a0e9dab3864
status-firefox-esr52:
--- → fixed
|
||
Comment 14•7 years ago
|
||
Manual testing is currently blocked here for the fact that a forced update check brings disableSHA1rollout v1.1 instead of v1.2 on the "release-sysaddon" update channel. Note that:
* the update.xml associated to (e.g.) 51.0-build2-win32-en-US shows v1.2, see [1]
* the patches pushed in this bug also show v1.2
Also, per my conversation with J.C. Jones, users should be seeing the following neterror messages, according to the system add-on's state:
* SEC_ERROR_EXPIRED_CERTIFICATE
when disableSHA1rollout is not in effect (i.e. SHA-1 was _not_ disabled
* SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
when disableSHA1rollout is in effect (i.e. HSA-1 was actually disabled)
Justin, could you please confirm the above?
[1] https://aus5.-mozilla.org/update/3/SystemAddons/51.0/20170118123726/default/en-US/release-sysaddon/default/default/default/update.xmlFlags: needinfo?(jwilliams)
|
|
||
Comment 15•7 years ago
|
||
(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #14) > Manual testing is currently blocked here for the fact that a forced update > check brings disableSHA1rollout v1.1 instead of v1.2 on the > "release-sysaddon" update channel. Note that: > > * the update.xml associated to (e.g.) 51.0-build2-win32-en-US shows v1.2, see [1] > > * the patches pushed in this bug also show v1.2 Update: this turned out to be some sort of environment issue. The correct version (v1.2) of disableSHA1rollout is installed on 51.*, as expected. Manual testing has been resumed, we'll check our test results against Justin's feedback, but things seem to be working as intended so far.
|
||
Comment 16•7 years ago
|
||
(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #14) > Manual testing is currently blocked here for the fact that a forced update > check brings disableSHA1rollout v1.1 instead of v1.2 on the > "release-sysaddon" update channel. Note that: > I am seeing v1.2 not v1.1. > > > > Also, per my conversation with J.C. Jones, users should be seeing the > following neterror messages, according to the system add-on's state: > > * SEC_ERROR_EXPIRED_CERTIFICATE > when disableSHA1rollout is not in effect (i.e. SHA-1 was _not_ disabled > > * SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED > when disableSHA1rollout is in effect (i.e. HSA-1 was actually disabled) > I do not see any SEC_ERROR's in the Browser Console.
Flags: needinfo?(jwilliams)
|
|
Reporter | |
Comment 17•7 years ago
|
||
This go-faster addon reached release Thursday/Friday last week, so going to close this.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•