116 bytes, text/plain
155.67 KB, patch
|Details | Diff | Splinter Review|
160.21 KB, patch
|Details | Diff | Splinter Review|
NSS 3.18 contains changes that Mozilla has been waiting for: - the latest set of root CA changes - a new API to import pkcs12 with adjusted nicknames in a safe way Although Firefox 38 has already entered Aurora phase, we'd like to pledge to upgrade it to NSS 3.18 nevertheless. I'd like to land a NSS 3.18 beta version into Aurora to start testing it with FF 38. We intend to finalize the 3.18 release within the next 2-3 weeks, to stabilize NSS in the middle of the Aurora 38 phase.
I've been asked to not yet land the root CA changes, because we're waiting for some results. I've landed the NSS_3_18_BETA7, which includes all the other changes that are relevant for Firefox, allowing testing on mozilla-central and aurora to start immediately. https://hg.mozilla.org/integration/mozilla-inbound/rev/64a4de12927a
Whiteboard: [leave open] [bump configure.in on final commit]
Richard, please let me know once it's OK to land the root CA changes.
Could you please approve this for landing into aurora 38? The justification is in the first comment of this bug. Thanks.
Assignee: nobody → kaie
Attachment #8570175 - Flags: approval-mozilla-aurora?
Attachment #8570175 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
reverting status-firefox39, it won't be fixed until we land the final NSS 3.18 release (not ready yet). thanks for the aurora approval!
Kai: I would like to get the Telemetry on cert validation errors installed first (bug 1085506), and give it a couple of weeks to set a baseline. That should allow us to better measure the impact of removing the Equifax root.
We have the first NSS 3.18 release candidate. The plan is: - land NSS 3.18 rc MINUS the root ca changes into m-c and m-a, to ensure we get testing of all the NSS code, r=nss-confcall - delay landing the root ca changes until the last third of march, to allow Richard a longer period for collecting telemetry data based on the current set of roots
(In reply to Kai Engert (:kaie) from comment #8) > > - land NSS 3.18 rc MINUS the root ca changes into m-c and m-a, > to ensure we get testing of all the NSS code, > r=nss-confcall This part is done. https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec78ec97624
Whiteboard: [leave open] [bump configure.in on final commit] → [leave open] [land 3.18 RTM + root CA changes on March 20] [bump configure.in on final commit]
This patch updates NSS to the release candidate NSS_3_18_RC0. However, because we're waiting for telemetry, this patch EXCLUDES the root CA changes from bug 1332496 (reverted locally). (Per our NSS/PSM tracking rules, the difference to tag NSS_3_18_RC0 has been documented as a patch in directory security/patches/ .) We must upgrade aurora to the final release of 3.18 This patch already lands ALL the CODE changes that will be part of the final 3.18, to allow immediate testing in aurora, prior to finishing the root CA telemetry. Please approve this patch for aurora. (On March 20 I will attach another patch to land the excluded root CA changes.)
(In reply to Kai Engert (:kaie) from comment #9) > This part is done. > https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec78ec97624 A number of tests are orange on mozilla-inbound as a result of this (in either dt or dt2, depending on whether opt or debug): 4656 INFO TEST-UNEXPECTED-FAIL | browser/devtools/netmonitor/test/browser_net_security-details.js | Label has the expected value. - Got TLSv1.2, expected TLSv1
(Though not that that test is failing only on some platforms, and I'm not even sure what the pattern is. It seems to be failing on all Linux runs, no Windows runs, and some (!) Mac OS X runs.)
Which is probably just a bad test; what I find more interesting is the fact that it's only "a number" not "every run of browser_net_security-details.js." I have the change to the test queued, and the bug for the test author to look at typed out, but for quite a while after the landing, only Linux and OS X opt were failing, then OS X debug and then Windows debug failed, so it looks like that grotesque hack of adding and removing a blank line in security/nss/coreconf/coreconf.dep to force NSS rebuilds either stopped working, or possibly never did really work. So now I'm waiting on the results of a clobber to see whether or not to land the test change and a touch of /CLOBBER.
(In reply to David Baron [:dbaron] (UTC-8) from comment #11) > 4656 INFO TEST-UNEXPECTED-FAIL | > browser/devtools/netmonitor/test/browser_net_security-details.js | Label has > the expected value. - Got TLSv1.2, expected TLSv1 In this update, the NSS library default has changed. In the past, the maximum enabled TLS version enabled by default was 1.0 - now it's 1.2 This might explain why an application level tests gets v1.2 instead of v1.0, if it uses the NSS default.
(In reply to Kai Engert (:kaie) from comment #14) > > In this update, the NSS library default has changed. > > In the past, the maximum enabled TLS version enabled by default was 1.0 - > now it's 1.2 FYI, bug 1083900
Nevertheless, let's wait for the result of the clobber. In my understanding, Firefox has application level code that overrides the NSS default, and does enable TLS v1.2 I don't know which default (Firefox default or NSS default) is being used in this particular test.
Touched /CLOBBER in https://hg.mozilla.org/integration/mozilla-inbound/rev/fac66b2cc608, adjusted the test's expectations in https://hg.mozilla.org/integration/mozilla-inbound/rev/5cfc2a0f0054, both of which you'll need to do while landing on aurora.
Attachment #8574285 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/758a094c8b7e Don't mark fixed yet. See comment 10.
Whiteboard: [leave open] [land 3.18 RTM + root CA changes on March 20] [bump configure.in on final commit] → [land 3.18 RTM + root CA changes on March 20]
I've also removed the file that documented which patch we had previously reverted. https://hg.mozilla.org/integration/mozilla-inbound/rev/02c4c1b559ac This isn't part of the build. Now we're using unmodified NSS_3_18_RTM on mozilla-central (including the root CA changes).
Whiteboard: [land 3.18 RTM + root CA changes on March 20]
As discussed and announced earlier, this updates to the final release of NSS 3.18 The only code change: an unnecessary new API (not used by Firefox) has been removed. The root CA changes (that were previously excluded) are now included. The version requirement, when building Firefox against a systemwide installed NSS, has been increased to 3.18 This is equivalent to what I just landed into mozilla-inbound.
Attachment #8580666 - Flags: approval-mozilla-aurora?
Attachment #8580666 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8580666 [details] [diff] [review] upgrade aurora to full NSS_3_18_RTM, bump version requirement, remove obsolete doc, clobber https://hg.mozilla.org/releases/mozilla-aurora/rev/441544bb022e
Attachment #8580666 - Flags: checkin+
You need to log in before you can comment on or make changes to this bug.