1137179 - Add wildcard list to the static fallback list

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Masatoshi Kimura [:emk]]

This patch also contains a fallback list update because it is very likely to conflict with this.
I also removed bookstore.cleary.edu and buy.liker.com.tw because they consistently fail with NS_ERROR_UNKNOWN_HOST for me (please double check).

Comment 1

[Masatoshi Kimura [:emk]]

Attachment: patch

Oops, forgot to attach the patch.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Comment on attachment 8569846 [details] [diff] [review]
patch

Review of attachment 8569846 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me with comments addressed.

(In reply to Masatoshi Kimura [:emk] from comment #0)
> I also removed bookstore.cleary.edu and buy.liker.com.tw because they
> consistently fail with NS_ERROR_UNKNOWN_HOST for me (please double check).

I can't resolve those hosts either.

::: security/manager/ssl/src/IntolerantFallbackList.inc
@@ -16,5 @@
>    "actiononline.stpete.org",
>    "actu.reunion.fr",
>    "ad401k.sbisec.co.jp",
>    "adman.you.gr",
> -  "adsearch.kuronekoyamato.co.jp", // bug 1128366

Should this bug be resolved worksforme or something now?

@@ -86,5 @@
>    "click2gov.alpharetta.ga.us",
>    "click2gov.sanangelotexas.us",
>    "clientes.chilectra.cl",
>    "club.guosen.com.cn",
> -  "cmypage.kuronekoyamato.co.jp", // bug 1112110

Same

@@ +290,5 @@
>    "secureonline.dwp.gov.uk",
>    "sems.hrd.ccsd.net",
>    "service.autoc-one.jp",
>    "services.apvma.gov.au",
> +  "services.geotrust.com",

We should definitely have a bug on this.

::: security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp
@@ +586,5 @@
>    NS_NAMED_LITERAL_CSTRING(fallback_test, "fallback.test");
>    NS_NAMED_LITERAL_CSTRING(no_fallback_test, "no.fallback.test");
> +  NS_NAMED_LITERAL_CSTRING(wildcard_test, "wildcard.test");
> +  NS_NAMED_LITERAL_CSTRING(a_wildcard_test, "a.wildcard.test");
> +  NS_NAMED_LITERAL_CSTRING(b_wildcard_test, "b.wildcard.test");

Let's do something longer like "long.example.wildcard.test" for this second one.

Comment 3

[Masatoshi Kimura [:emk]]

Attachment: patch for checkin

(In reply to David Keeler [:keeler] (use needinfo?) from comment #2)
> > I also removed bookstore.cleary.edu and buy.liker.com.tw because they
> > consistently fail with NS_ERROR_UNKNOWN_HOST for me (please double check).
> 
> I can't resolve those hosts either.

Thanks you.

> > -  "adsearch.kuronekoyamato.co.jp", // bug 1128366
> 
> Should this bug be resolved worksforme or something now?

It's just moved to the wildcard list.

> > +  "services.geotrust.com",
> 
> We should definitely have a bug on this.

Filed bug 1137677.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e30008890f8f

Comment 4

[Masatoshi Kimura [:emk]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/5801ebeeb3b6

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/5801ebeeb3b6

Comment 6

[Masatoshi Kimura [:emk]]

Comment on attachment 8570767 [details] [diff] [review]
patch for checkin

Approval Request Comment
[Feature/regressing bug #]: 1124039
[User impact if declined]: Users can not connect some sites
[Describe test coverage new/current, TreeHerder]: Basic gtest
[Risks and why]: Low, minimal whitelist logic change only
[String/UUID change made/needed]: no

Comment 7

[Lukas Blakk [:lsblakk] use ?needinfo]

Comment on attachment 8570767 [details] [diff] [review]
patch for checkin

approving for uplift to give better user experience.

Comment 8

[Masatoshi Kimura [:emk]]

Attachment: patch for beta

Rebase needed.

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/2f29031bfd40

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/70d3a14eab61