Closed
Bug 1137470
Opened 10 years ago
Closed 9 years ago
Upgrade Firefox 38 to use NSS 3.18
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: KaiE, Assigned: KaiE)
References
(Blocks 1 open bug)
Details
Attachments
(3 files)
116 bytes,
text/plain
|
lsblakk
:
approval-mozilla-aurora+
KaiE
:
checkin+
|
Details |
155.67 KB,
patch
|
KaiE
:
review+
lsblakk
:
approval-mozilla-aurora+
KaiE
:
checkin+
|
Details | Diff | Splinter Review |
160.21 KB,
patch
|
Sylvestre
:
approval-mozilla-aurora+
KaiE
:
checkin+
|
Details | Diff | Splinter Review |
NSS 3.18 contains changes that Mozilla has been waiting for: - the latest set of root CA changes - a new API to import pkcs12 with adjusted nicknames in a safe way Although Firefox 38 has already entered Aurora phase, we'd like to pledge to upgrade it to NSS 3.18 nevertheless. I'd like to land a NSS 3.18 beta version into Aurora to start testing it with FF 38. We intend to finalize the 3.18 release within the next 2-3 weeks, to stabilize NSS in the middle of the Aurora 38 phase.
Assignee | ||
Updated•10 years ago
|
status-firefox38:
--- → affected
Assignee | ||
Comment 1•10 years ago
|
||
I've been asked to not yet land the root CA changes, because we're waiting for some results. I've landed the NSS_3_18_BETA7, which includes all the other changes that are relevant for Firefox, allowing testing on mozilla-central and aurora to start immediately. https://hg.mozilla.org/integration/mozilla-inbound/rev/64a4de12927a
Whiteboard: [leave open] [bump configure.in on final commit]
Assignee | ||
Comment 2•10 years ago
|
||
Richard, please let me know once it's OK to land the root CA changes.
Flags: needinfo?(rlb)
Assignee | ||
Comment 3•10 years ago
|
||
Could you please approve this for landing into aurora 38? The justification is in the first comment of this bug. Thanks.
Assignee: nobody → kaie
Attachment #8570175 -
Flags: approval-mozilla-aurora?
Blocks: 1012549
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/64a4de12927a
Updated•10 years ago
|
Attachment #8570175 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•10 years ago
|
status-firefox39:
--- → fixed
Assignee | ||
Comment 5•10 years ago
|
||
reverting status-firefox39, it won't be fixed until we land the final NSS 3.18 release (not ready yet). thanks for the aurora approval!
Comment 7•10 years ago
|
||
Kai: I would like to get the Telemetry on cert validation errors installed first (bug 1085506), and give it a couple of weeks to set a baseline. That should allow us to better measure the impact of removing the Equifax root.
Assignee | ||
Comment 8•10 years ago
|
||
We have the first NSS 3.18 release candidate. The plan is: - land NSS 3.18 rc MINUS the root ca changes into m-c and m-a, to ensure we get testing of all the NSS code, r=nss-confcall - delay landing the root ca changes until the last third of march, to allow Richard a longer period for collecting telemetry data based on the current set of roots
Assignee | ||
Comment 9•9 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #8) > > - land NSS 3.18 rc MINUS the root ca changes into m-c and m-a, > to ensure we get testing of all the NSS code, > r=nss-confcall This part is done. https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec78ec97624
Assignee | ||
Updated•9 years ago
|
Whiteboard: [leave open] [bump configure.in on final commit] → [leave open] [land 3.18 RTM + root CA changes on March 20] [bump configure.in on final commit]
Assignee | ||
Updated•9 years ago
|
Attachment #8570175 -
Flags: checkin+
Assignee | ||
Comment 10•9 years ago
|
||
This patch updates NSS to the release candidate NSS_3_18_RC0. However, because we're waiting for telemetry, this patch EXCLUDES the root CA changes from bug 1332496 (reverted locally). (Per our NSS/PSM tracking rules, the difference to tag NSS_3_18_RC0 has been documented as a patch in directory security/patches/ .) We must upgrade aurora to the final release of 3.18 This patch already lands ALL the CODE changes that will be part of the final 3.18, to allow immediate testing in aurora, prior to finishing the root CA telemetry. Please approve this patch for aurora. (On March 20 I will attach another patch to land the excluded root CA changes.)
Attachment #8574285 -
Flags: review+
Attachment #8574285 -
Flags: approval-mozilla-aurora?
(In reply to Kai Engert (:kaie) from comment #9) > This part is done. > https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec78ec97624 A number of tests are orange on mozilla-inbound as a result of this (in either dt or dt2, depending on whether opt or debug): 4656 INFO TEST-UNEXPECTED-FAIL | browser/devtools/netmonitor/test/browser_net_security-details.js | Label has the expected value. - Got TLSv1.2, expected TLSv1
Flags: needinfo?(kaie)
(Though not that that test is failing only on some platforms, and I'm not even sure what the pattern is. It seems to be failing on all Linux runs, no Windows runs, and some (!) Mac OS X runs.)
Comment 13•9 years ago
|
||
Which is probably just a bad test; what I find more interesting is the fact that it's only "a number" not "every run of browser_net_security-details.js." I have the change to the test queued, and the bug for the test author to look at typed out, but for quite a while after the landing, only Linux and OS X opt were failing, then OS X debug and then Windows debug failed, so it looks like that grotesque hack of adding and removing a blank line in security/nss/coreconf/coreconf.dep to force NSS rebuilds either stopped working, or possibly never did really work. So now I'm waiting on the results of a clobber to see whether or not to land the test change and a touch of /CLOBBER.
Assignee | ||
Comment 14•9 years ago
|
||
(In reply to David Baron [:dbaron] (UTC-8) from comment #11) > 4656 INFO TEST-UNEXPECTED-FAIL | > browser/devtools/netmonitor/test/browser_net_security-details.js | Label has > the expected value. - Got TLSv1.2, expected TLSv1 In this update, the NSS library default has changed. In the past, the maximum enabled TLS version enabled by default was 1.0 - now it's 1.2 This might explain why an application level tests gets v1.2 instead of v1.0, if it uses the NSS default.
Flags: needinfo?(kaie)
Assignee | ||
Comment 15•9 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #14) > > In this update, the NSS library default has changed. > > In the past, the maximum enabled TLS version enabled by default was 1.0 - > now it's 1.2 FYI, bug 1083900
Assignee | ||
Comment 16•9 years ago
|
||
Nevertheless, let's wait for the result of the clobber. In my understanding, Firefox has application level code that overrides the NSS default, and does enable TLS v1.2 I don't know which default (Firefox default or NSS default) is being used in this particular test.
Comment 17•9 years ago
|
||
Touched /CLOBBER in https://hg.mozilla.org/integration/mozilla-inbound/rev/fac66b2cc608, adjusted the test's expectations in https://hg.mozilla.org/integration/mozilla-inbound/rev/5cfc2a0f0054, both of which you'll need to do while landing on aurora.
Comment 18•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3ec78ec97624 https://hg.mozilla.org/mozilla-central/rev/fac66b2cc608
Updated•9 years ago
|
Attachment #8574285 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 19•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/758a094c8b7e Don't mark fixed yet. See comment 10.
Assignee | ||
Comment 20•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/289fa2204f9f https://hg.mozilla.org/integration/mozilla-inbound/rev/c06d15bf34b5
Whiteboard: [leave open] [land 3.18 RTM + root CA changes on March 20] [bump configure.in on final commit] → [land 3.18 RTM + root CA changes on March 20]
Assignee | ||
Comment 21•9 years ago
|
||
I've also removed the file that documented which patch we had previously reverted. https://hg.mozilla.org/integration/mozilla-inbound/rev/02c4c1b559ac This isn't part of the build. Now we're using unmodified NSS_3_18_RTM on mozilla-central (including the root CA changes).
Whiteboard: [land 3.18 RTM + root CA changes on March 20]
Assignee | ||
Updated•9 years ago
|
Attachment #8574285 -
Flags: checkin+
Assignee | ||
Comment 22•9 years ago
|
||
As discussed and announced earlier, this updates to the final release of NSS 3.18 The only code change: an unnecessary new API (not used by Firefox) has been removed. The root CA changes (that were previously excluded) are now included. The version requirement, when building Firefox against a systemwide installed NSS, has been increased to 3.18 This is equivalent to what I just landed into mozilla-inbound.
Attachment #8580666 -
Flags: approval-mozilla-aurora?
Comment 23•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/289fa2204f9f https://hg.mozilla.org/mozilla-central/rev/c06d15bf34b5 https://hg.mozilla.org/mozilla-central/rev/02c4c1b559ac
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Updated•9 years ago
|
Attachment #8580666 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 24•9 years ago
|
||
Comment on attachment 8580666 [details] [diff] [review] upgrade aurora to full NSS_3_18_RTM, bump version requirement, remove obsolete doc, clobber https://hg.mozilla.org/releases/mozilla-aurora/rev/441544bb022e
Attachment #8580666 -
Flags: checkin+
Assignee | ||
Updated•9 years ago
|
Updated•7 months ago
|
Blocks: nss-uplift
You need to log in
before you can comment on or make changes to this bug.
Description
•