Upgrade Firefox ESR 31.x to NSS 3.16.2.3

RESOLVED FIXED in Firefox -esr31, Firefox OS v1.4

Status

()

Core
Security: PSM
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

31 Branch
mozilla34
Points:
---

Firefox Tracking Flags

(firefox34 unaffected, firefox35 unaffected, firefox36 unaffected, firefox-esr3134+ fixed, b2g-v1.4 fixed, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.2 unaffected)

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
I suggest to upgrade the Firefox 31 Enterprise Support branch (ESR) to a newer NSS version, which implements support for the TLS_FALLBACK_SCSV.

While Firefox 31.3 will probably disable SSL 3 by default (currently being discussed), there might be users that are required to re-enable SSL 3, because they have to work with legacy devices in their environment.

Using a version of NSS that supports TLS_FALLBACK_SCSV and the patch from bug 1036737 might benefit those users.
(Assignee)

Updated

3 years ago
Depends on: 1036735
(Assignee)

Comment 1

3 years ago
At this time, Firefox 31 ESR uses NSS 3.16.2.2

TLS_FALLBACK_SCSV was added in NSS 3.17.2, in bug 1036735 I suggest to backport the patch to the NSS 3.16.2.x branch, and use a new release from that branch for Firefox 31 ESR.
:kaie can this be marked as a duplicate of bug 1036735?  I don't want to have the discussion in two places.
(Assignee)

Comment 3

3 years ago
Martin, this is a Firefox/PSM bug. We usually have a separate tracking bug (to carry approvals) for Firefox releases.

Bug 1036735 is a NSS bug.

IMHO, all discussions related to NSS and backporting to NSS branches should happen in bug 1036735.

This bug is intended to discuss whether or not to upgrade Firefox 31.
My mistake.  I always confuse the bugs on this.  bug 1036737 is what I intended to ask about.  That's where I landed the Firefox/PSM changes.
(Assignee)

Comment 5

3 years ago
Ok, maybe you're right, and using bug 1036737 is fine.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1036737
(Assignee)

Comment 6

3 years ago
I'm reopening this as its own bug, because NSS 3.16.2.3 includes an additional bugfix.
This bug is for tracking a potential upgrade of NSS on the Firefox 31 ESR branch.

Landing the patch from bug 1036737, which enables the feature, is a separate decision.


[Tracking Requested - why for this release]:
Firefox ESR could benefit from the TLS_FALLBACK_SCSV feature after POODLE
and from a 100% cpu fix which are available in NSS 3.16.2.3
This is a minimal NSS update, with these fixes backported.
Status: RESOLVED → REOPENED
tracking-firefox-esr31: --- → ?
Resolution: DUPLICATE → ---
Summary: Upgrade Firefox ESR 31.x to a version of NSS that supports TLS_FALLBACK_SCSV → Upgrade Firefox ESR 31.x to NSS 3.16.2.3
(Assignee)

Comment 7

3 years ago
Created attachment 8511380 [details] [diff] [review]
Illustrative patch
(for landing use: python client.py update_nss NSS_3_16_2_3_RTM)

This patch illustrates the amount of changes between the currently used NSS 3.16.2.2 and the suggested upgrade to 3.16.2.3

Using this patch for requesting approval.
Assignee: nobody → kaie
Attachment #8511380 - Flags: approval-mozilla-esr31?
(Assignee)

Comment 8

3 years ago
esr-31 try build, using the patch from this bug, plus the patch from bug 1036737:
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=f69e43df260f
(Assignee)

Updated

3 years ago
Attachment #8511380 - Attachment description: Illustrative patch → Illustrative patch (for landing use: python client.py update_nss NSS_3_16_2_3_RTM)

Comment 9

3 years ago
Comment on attachment 8511380 [details] [diff] [review]
Illustrative patch
(for landing use: python client.py update_nss NSS_3_16_2_3_RTM)

Review of attachment 8511380 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.
Attachment #8511380 - Flags: review+
Paul, should we consider this for B2G v1.4/v2.0 as well?
Flags: needinfo?(ptheriault)
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #10)
> Paul, should we consider this for B2G v1.4/v2.0 as well?

Yes that sounds like a good idea to me (and 2.0m).
Flags: needinfo?(ptheriault)
Comment on attachment 8511380 [details] [diff] [review]
Illustrative patch
(for landing use: python client.py update_nss NSS_3_16_2_3_RTM)

See comment 6 and comment 11.
Attachment #8511380 - Flags: approval-mozilla-b2g32?
Attachment #8511380 - Flags: approval-mozilla-b2g30?
Attachment #8511380 - Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
status-firefox-esr31: --- → affected
tracking-firefox-esr31: ? → 34+
(Assignee)

Comment 13

3 years ago
Thanks
https://hg.mozilla.org/releases/mozilla-esr31/rev/2aad0b4e9a8d
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
status-firefox-esr31: affected → fixed
Resolution: --- → FIXED
Bump the minimum version in configure.in as well:
https://hg.mozilla.org/releases/mozilla-esr31/rev/e70de1bbcf5f
status-b2g-v1.4: --- → affected
status-b2g-v2.0: --- → affected
status-b2g-v2.0M: --- → affected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.2: --- → unaffected
status-firefox34: --- → unaffected
status-firefox35: --- → unaffected
status-firefox36: --- → unaffected

Updated

3 years ago
Attachment #8511380 - Flags: approval-mozilla-b2g32?
Attachment #8511380 - Flags: approval-mozilla-b2g32+
Attachment #8511380 - Flags: approval-mozilla-b2g30?
Attachment #8511380 - Flags: approval-mozilla-b2g30+
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/6fa3af960fff

B2G v2.0 (b2g32) is actually on NSS 3.16.5 at the moment. Kai, what should we do for that release?
status-b2g-v1.4: affected → fixed
Flags: needinfo?(kaie)
(Assignee)

Comment 16

3 years ago
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #15)
> https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/6fa3af960fff
> 
> B2G v2.0 (b2g32) is actually on NSS 3.16.5 at the moment. Kai, what should
> we do for that release?

It would be best if you could go to 3.17.2

The 3.16.2.x branch is primarily intended for those branches that still require the old set of root CA certs (which we don't want to change on FF 31 ESR).

If you use 3.16.5, you already have the new root CA changes.
(Assignee)

Updated

3 years ago
Flags: needinfo?(kaie)
Thanks, I'll move it over to bug 1049435 then.
status-b2g-v2.0: affected → unaffected
status-b2g-v2.0M: affected → unaffected
Attachment #8511380 - Flags: approval-mozilla-b2g32+
I accidentally just pushed an empty to commit to Aurora under this bug number. It's completely safe to ignore. Sorry for any confusion it causes.
https://hg.mozilla.org/releases/mozilla-aurora/rev/ee017c79f5a8
You need to log in before you can comment on or make changes to this bug.