Closed
Bug 1004798
Opened 11 years ago
Closed 7 years ago
Certificate pinning needs a mozmill test
Categories
(Mozilla QA Graveyard :: Mozmill Tests, defect, P2)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mmc, Unassigned)
References
(Blocks 1 open bug)
Details
Bug 744204 landed, which enabled certificate pinning on a handful of mozilla domains:
*.addons.mozilla.org
*.addons.mozilla.net
*.cdn.mozilla.net
*.cdn.mozilla.org
*.media.mozilla.com
This means that HTTPS connections to these domains may break because of pinning, which forces the certificate to match a known CA issuer.
A mozmill test to make https connections to each of these domains would be great to detect any regressions caused by pinning. For the cdn domains, we need to specify a subdomain or particular resource because https://cdn.mozilla.net doesn't actually resolve.
|
Reporter | |
Comment 1•11 years ago
|
||
https://mozorg.cdn.mozilla.net/ works, haven't found one for cdn.mozilla.org yet.
|
||
Comment 2•11 years ago
|
||
Monica, would you mind to give us some more details in what specific checks we have to perform, what the results should be, and how failures look like? Especially the latter is important, so we can have a negative test too.
Flags: needinfo?(mmc)
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All
|
|
Reporter | |
Comment 3•11 years ago
|
||
Hi Henrik,
For this we can't really construct a negative test (unless we pin a test domain that has an incorrect cert, which we already unittest). For more coverage we can add a lot of popular subdomains of the pinned sites -- right now with mozilla domains only that's not very interesting, though.
Mostly we want to make sure that pinning doesn't break anything, because in production it depends on live certificates. For all domains on the pinned list, you should be able to connect over HTTPS with security.cert_pinning.enforcement_level=2 and receive HTTP 200s back. If there is a pinning error, then the connection will fail.
The xpcshell test on fake domains is https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/test_pinning.js.
Thanks,
Monica
Flags: needinfo?(mmc)
|
|
Reporter | |
Comment 4•11 years ago
|
||
Soon pinningtest.appspot.com will be able to serve as a negative test.
|
|
||
Comment 5•9 years ago
|
||
Patrick, while checking old bugs I found this request for a test. Do you think that this would still be a useful and wanted test? If yes we can get it added to the firefox-ui-tests suite. Thanks.
Flags: needinfo?(mcmanus)
|
||
Comment 6•7 years ago
|
||
Mozmill is dead, WONTFIX the remaining bugs.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
|
||
Updated•6 years ago
|
Product: Mozilla QA → Mozilla QA Graveyard
|
|
||
Updated•1 year ago
|
Flags: needinfo?(mcmanus)
You need to log in
before you can comment on or make changes to this bug.
Description
•