Upgrade Firefox 38 to use NSS 3.18

RESOLVED FIXED in Firefox 38

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

38 Branch
mozilla39
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox38 fixed, firefox39 fixed)

Details

Attachments

(3 attachments)

Assignee

Description

4 years ago
NSS 3.18 contains changes that Mozilla has been waiting for:
- the latest set of root CA changes
- a new API to import pkcs12 with adjusted nicknames in a safe way

Although Firefox 38 has already entered Aurora phase, we'd like to pledge to upgrade it to NSS 3.18 nevertheless.

I'd like to land a NSS 3.18 beta version into Aurora to start testing it with FF 38.
We intend to finalize the 3.18 release within the next 2-3 weeks, to stabilize NSS in the middle of the Aurora 38 phase.
Assignee

Updated

4 years ago
Assignee

Comment 1

4 years ago
I've been asked to not yet land the root CA changes, because we're waiting for some results.

I've landed the NSS_3_18_BETA7, which includes all the other changes that are relevant for Firefox, allowing testing on mozilla-central and aurora to start immediately.

https://hg.mozilla.org/integration/mozilla-inbound/rev/64a4de12927a
Whiteboard: [leave open] [bump configure.in on final commit]
Assignee

Comment 2

4 years ago
Richard, please let me know once it's OK to land the root CA changes.
Flags: needinfo?(rlb)
Assignee

Comment 3

4 years ago
Could you please approve this for landing into aurora 38?

The justification is in the first comment of this bug. Thanks.
Assignee: nobody → kaie
Attachment #8570175 - Flags: approval-mozilla-aurora?
Attachment #8570175 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee

Comment 5

4 years ago
reverting status-firefox39, it won't be fixed until we land the final NSS 3.18 release (not ready yet).

thanks for the aurora approval!
Kai: I would like to get the Telemetry on cert validation errors installed first (bug 1085506), and give it a couple of weeks to set a baseline.  That should allow us to better measure the impact of removing the Equifax root.
Assignee

Updated

4 years ago
Depends on: 1085506
Flags: needinfo?(rlb)
Assignee

Comment 8

4 years ago
We have the first NSS 3.18 release candidate.

The plan is:

- land NSS 3.18 rc MINUS the root ca changes into m-c and m-a,
  to ensure we get testing of all the NSS code,
  r=nss-confcall

- delay landing the root ca changes until the last third of march,
  to allow Richard a longer period for collecting telemetry data
  based on the current set of roots
Assignee

Comment 9

4 years ago
(In reply to Kai Engert (:kaie) from comment #8)
> 
> - land NSS 3.18 rc MINUS the root ca changes into m-c and m-a,
>   to ensure we get testing of all the NSS code,
>   r=nss-confcall

This part is done.
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec78ec97624
Assignee

Updated

4 years ago
Whiteboard: [leave open] [bump configure.in on final commit] → [leave open] [land 3.18 RTM + root CA changes on March 20] [bump configure.in on final commit]
Assignee

Updated

4 years ago
Attachment #8570175 - Flags: checkin+
Assignee

Comment 10

4 years ago
This patch updates NSS to the release candidate NSS_3_18_RC0.

However, because we're waiting for telemetry, this patch EXCLUDES the root CA changes from bug 1332496 (reverted locally).

(Per our NSS/PSM tracking rules, the difference to tag NSS_3_18_RC0 has been documented as a patch in directory security/patches/ .)

We must upgrade aurora to the final release of 3.18

This patch already lands ALL the CODE changes that will be part of the final 3.18, to allow immediate testing in aurora, prior to finishing the root CA telemetry.

Please approve this patch for aurora.


(On March 20 I will attach another patch to land the excluded root CA changes.)
Attachment #8574285 - Flags: review+
Attachment #8574285 - Flags: approval-mozilla-aurora?
(In reply to Kai Engert (:kaie) from comment #9)
> This part is done.
> https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec78ec97624

A number of tests are orange on mozilla-inbound as a result of this (in either dt or dt2, depending on whether opt or debug):

 4656 INFO TEST-UNEXPECTED-FAIL | browser/devtools/netmonitor/test/browser_net_security-details.js | Label has the expected value. - Got TLSv1.2, expected TLSv1
Flags: needinfo?(kaie)
(Though not that that test is failing only on some platforms, and I'm not even sure what the pattern is.  It seems to be failing on all Linux runs, no Windows runs, and some (!) Mac OS X runs.)
Which is probably just a bad test; what I find more interesting is the fact that it's only "a number" not "every run of browser_net_security-details.js." I have the change to the test queued, and the bug for the test author to look at typed out, but for quite a while after the landing, only Linux and OS X opt were failing, then OS X debug and then Windows debug failed, so it looks like that grotesque hack of adding and removing a blank line in security/nss/coreconf/coreconf.dep to force NSS rebuilds either stopped working, or possibly never did really work. So now I'm waiting on the results of a clobber to see whether or not to land the test change and a touch of /CLOBBER.
Assignee

Comment 14

4 years ago
(In reply to David Baron [:dbaron] (UTC-8) from comment #11)
>  4656 INFO TEST-UNEXPECTED-FAIL |
> browser/devtools/netmonitor/test/browser_net_security-details.js | Label has
> the expected value. - Got TLSv1.2, expected TLSv1

In this update, the NSS library default has changed.

In the past, the maximum enabled TLS version enabled by default was 1.0 - now it's 1.2

This might explain why an application level tests gets v1.2 instead of v1.0, if it uses the NSS default.
Flags: needinfo?(kaie)
Assignee

Comment 15

4 years ago
(In reply to Kai Engert (:kaie) from comment #14)
> 
> In this update, the NSS library default has changed.
> 
> In the past, the maximum enabled TLS version enabled by default was 1.0 -
> now it's 1.2

FYI, bug 1083900
Assignee

Comment 16

4 years ago
Nevertheless, let's wait for the result of the clobber.

In my understanding, Firefox has application level code that overrides the NSS default, and does enable TLS v1.2

I don't know which default (Firefox default or NSS default) is being used in this particular test.
Depends on: 1140739
Touched /CLOBBER in https://hg.mozilla.org/integration/mozilla-inbound/rev/fac66b2cc608, adjusted the test's expectations in https://hg.mozilla.org/integration/mozilla-inbound/rev/5cfc2a0f0054, both of which you'll need to do while landing on aurora.
Attachment #8574285 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee

Comment 20

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/289fa2204f9f
https://hg.mozilla.org/integration/mozilla-inbound/rev/c06d15bf34b5
Whiteboard: [leave open] [land 3.18 RTM + root CA changes on March 20] [bump configure.in on final commit] → [land 3.18 RTM + root CA changes on March 20]
Assignee

Comment 21

4 years ago
I've also removed the file that documented which patch we had previously reverted.
https://hg.mozilla.org/integration/mozilla-inbound/rev/02c4c1b559ac

This isn't part of the build.

Now we're using unmodified NSS_3_18_RTM on mozilla-central (including the root CA changes).
Whiteboard: [land 3.18 RTM + root CA changes on March 20]
Assignee

Updated

4 years ago
Attachment #8574285 - Flags: checkin+
Assignee

Comment 22

4 years ago
As discussed and announced earlier, this updates to the final release of NSS 3.18

The only code change: an unnecessary new API (not used by Firefox) has been removed.

The root CA changes (that were previously excluded) are now included.

The version requirement, when building Firefox against a systemwide installed NSS, has been increased to 3.18

This is equivalent to what I just landed into mozilla-inbound.
Attachment #8580666 - Flags: approval-mozilla-aurora?
Attachment #8580666 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee

Comment 24

4 years ago
Comment on attachment 8580666 [details] [diff] [review]
upgrade aurora to full NSS_3_18_RTM, bump version requirement, remove obsolete doc, clobber

https://hg.mozilla.org/releases/mozilla-aurora/rev/441544bb022e
Attachment #8580666 - Flags: checkin+

Updated

4 years ago
Depends on: 1148182
You need to log in before you can comment on or make changes to this bug.