Closed
Bug 962740
Opened 10 years ago
Closed 10 years ago
January 2014 batch of EV root CA changes
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: kathleen.a.wilson, Assigned: cviecco)
References
Details
Attachments
(1 file)
2.64 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
The purpose of this bug is to use a single patch to make the code changes for the January 2014 batch of EV-enablement changes (see the list of bugs this one blocks). Please enable EV treatment for the following root certs by making the requested modifications to source/security/manager/ssl/src/nsIdentityChecking.cpp Bug #935674 – Firmaprofesional Test URL: https://publifirma.firmaprofesional.com/ Add these lines: { // CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES "1.3.6.1.4.1.13177.10.1.3.10", "Firmaprofesional EV OID", SEC_OID_UNKNOWN, "AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA", “MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh” “Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=”, “U+w77vuySF8=”, nullptr }, Bug #901608 – TWCA Test URL: https://evssldemo3.twca.com.tw/index.html Add these lines: { // CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW "1.3.6.1.4.1.40869.1.1.22.3", "TWCA EV OID", SEC_OID_UNKNOWN, "9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65", “MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv” “b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=”, “DL4=”, nullptr }, Bug #915946 – E-Tugra Test URL: https://sslev.e-tugra.com.tr/ Add these lines: { // CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L = Ankara, C = TR "2.16.792.3.0.4.1.1.4", "ETugra EV OID", SEC_OID_UNKNOWN, "51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39", “MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1” “xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu” “xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG” “A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==”, “amg+nFGby1M=”, nullptr }, After you make the change, please update this bug with a link to the test build. I will test, and then ask the corresponding CAs to test. Thanks.
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → cviecco
Assignee | ||
Comment 1•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0 However the TWCA site is a fail. :( there is something wrong witht the ocsp (I think is their side) so the page will halt for a while and then fallback to dv.
Comment 2•10 years ago
|
||
Can we defer this to Firefox 31? We have many things to do for Firefox 30 still and we're running out of runway--especially if you still want the 1024-bit root removals to happen in Firefox 29 or 30.
Flags: needinfo?(kwilson)
Reporter | ||
Comment 3•10 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #2) > Can we defer this to Firefox 31? Yes.
Flags: needinfo?(kwilson)
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #1) > https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0 > > However the TWCA site is a fail. :( there is something wrong witht the > ocsp (I think is their side) so the page will halt for a while and then > fallback to dv. Interesting. I tested it yesterday with ESR 24 debug, and got the EV treatment. I'll test it again tomorrow.
Reporter | ||
Comment 5•10 years ago
|
||
(In reply to Kathleen Wilson from comment #4) > (In reply to Camilo Viecco (:cviecco) from comment #1) > > https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0 > > > > However the TWCA site is a fail. :( there is something wrong witht the > > ocsp (I think is their side) so the page will halt for a while and then > > fallback to dv. > > > Interesting. I tested it yesterday with ESR 24 debug, and got the EV > treatment. > I'll test it again tomorrow. I just tested again with ESR 24 debug, and got the EV treatment for the TWCA test. Will try again when we're ready to test with FF 31. Thanks.
Assignee | ||
Comment 6•10 years ago
|
||
So I think there is a race condition on the display of EV certs. I was looking at the logs and notices that sometimes EV was declared successful If I try https://evssldemo3.twca.com.tw/index_files/logo_en.gif (erasing history) and reloading several times eventually the display wins the race and I get ev treatment. Will ned to investigate this further.
I use released version of Firefox to test, and set the option of OCSP validation fail will treat the certificate is invalid. The DV status is OK. I have not test the EV treatment, where can I download the test version? Thanks, Robin Lin
Assignee | ||
Comment 8•10 years ago
|
||
(In reply to Robin Lin from comment #7) > I use released version of Firefox to test, and set the option of OCSP > validation fail will treat the certificate is invalid. > The DV status is OK. I have not test the EV treatment, where can I download > the test version? You can download from at https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/cviecco@mozilla.com-41859fee58b0/ The issue that I found is that (from the mozilla office) DNS resolution for the ocsp responers is too slow (2.5 seconds to report initial failure) and thus the tiemout for getting ocsp responses is reached (10 seconds after multiple DNS resolution attemps), and we fallback to DV validation. Once it is on the DV path we currently cache the resource with the ssl state so that from that moment on we keep showing DV status for that particular URL until the browser cache gets invalidated.
Reporter | ||
Comment 9•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #8) > Once it > is on the DV path we currently cache the resource with the ssl state so that > from that moment on we keep showing DV status for that particular URL until > the browser cache gets invalidated. So, if a website upgrades to an EV SSL cert, all of their customers who previously browsed to their website will not see the EV treatment until they refresh their browser cache?
My understanding is if the certificate changes, the cached status will be updated.
Comment 11•10 years ago
|
||
I used nightly build 30 to test, both our 2048 bits and 4096 bits CA could not get the EV treatment. But it is OK for existing EV Root if using Firefox 27.
Reporter | ||
Comment 12•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #6) > So I think there is a race condition on the display of EV certs. (In reply to Robin Lin from comment #11) > I used nightly build 30 to test, both our 2048 bits and 4096 bits CA could > not get the EV treatment. > But it is OK for existing EV Root if using Firefox 27. Camilo, Did something change between Firefox 27 and Firefox 30 that might explain why we are now seeing this race condition?
Assignee | ||
Comment 13•10 years ago
|
||
>
> Camilo, Did something change between Firefox 27 and Firefox 30 that might
> explain why we are now seeing this race condition?
The OCSP timeouts where reduced, so it went from 20 secs to 13 secs for EV. Anyway 13 seconds is way too much. I just tested the TWCA site and it worked with EV now. (seems like DNS is now better)
Assignee | ||
Comment 14•10 years ago
|
||
Attachment #8389465 -
Flags: review?(dkeeler)
Comment on attachment 8389465 [details] [diff] [review] ev-jan-2014-batch Review of attachment 8389465 [details] [diff] [review]: ----------------------------------------------------------------- LGTM.
Attachment #8389465 -
Flags: review?(dkeeler) → review+
Comment 16•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a1a9976d954e
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Reporter | ||
Comment 17•10 years ago
|
||
Thanks!
You need to log in
before you can comment on or make changes to this bug.
Description
•