1142769 - Fallback whitelist update: late-March 2015

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Masatoshi Kimura [:emk]]

+++ This bug was initially created as a clone of Bug #1133187 +++

I would like to land this before the next merge.

Comment 1

[Masatoshi Kimura [:emk]]

[Tracking Requested - why for this release]:

Comment 2

[Masatoshi Kimura [:emk]]

Ah, this is also needed for the version fallback.

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

OK, sounds like we should track (and probably uplift) whatever ends up on this whitelist all the way to beta (37).

Comment 4

[Liz Henry (:lizzard) (relman/hg->git project)]

Hi emk, the last 37 Beta goes to build this Thu, Mar 19 if you are still looking to land a new whitelist and request uplift to 37.

Comment 5

[Masatoshi Kimura [:emk]]

Attachment: update_whitelist

* Added sites from bug 1126620 blockers and bug 1138101 blockers.
* Added sites from bug 1126620 comment #12.
* Removed fixed sites.
* Removed following sites (please double check).
https://adman.you.gr (certificate expired)
https://startrekonline.com (certificate expired)
https://webctmt.lau.edu.lb (consistently fails to connect)
https://www.3zai.com (unknown host)
https://www.bookstore.ccbcmd.edu (unknown host)
https://www.emihub.com (certificate expired)
https://www.expohotelbarcelona.com (consistently fails to connect)
https://www.htsec.com (consistently fails to connect)
https://www.oxendales.co.uk (consistently fails to connect)
https://www.startrekonline.com (certificate expired)

Comment 6

[:Cykesiopka]

(In reply to Masatoshi Kimura [:emk] from comment #5)
> * Removed following sites (please double check).
> https://adman.you.gr (certificate expired)
> https://startrekonline.com (certificate expired)
> https://webctmt.lau.edu.lb (consistently fails to connect)
> https://www.3zai.com (unknown host)
> https://www.bookstore.ccbcmd.edu (unknown host)
> https://www.emihub.com (certificate expired)
> https://www.expohotelbarcelona.com (consistently fails to connect)
> https://www.htsec.com (consistently fails to connect)
> https://www.oxendales.co.uk (consistently fails to connect)
> https://www.startrekonline.com (certificate expired)

Same results here, except https://www.bookstore.ccbcmd.edu seems to be reachable via Fx38, IE11 and SSL Labs (although it just redirects to HTTP).

Also, I assume omitting the entries from the lists in Bug 1124039 comment 58 and Bug 1138101 comment 4 is intentional since 37 only needs to concern itself with TLS intolerance?

Comment 7

[Masatoshi Kimura [:emk]]

(In reply to Cykesiopka from comment #6)
> Also, I assume omitting the entries from the lists in Bug 1124039 comment 58
> and Bug 1138101 comment 4 is intentional since 37 only needs to concern
> itself with TLS intolerance?

Yes, and also 38 after bug 1138882 uplift with the pref default-enabled.

Comment 8

[Masatoshi Kimura [:emk]]

(In reply to Cykesiopka from comment #6)
> Same results here, except https://www.bookstore.ccbcmd.edu seems to be
> reachable via Fx38, IE11 and SSL Labs (although it just redirects to HTTP).

Oh, indeed Google Public DNS found www.bookstore.ccbcmd.edu while my local DNS server didn't.

Comment 9

[Masatoshi Kimura [:emk]]

Attachment: update_whitelist

* Added back www.bookstore.ccbcmd.edu.
* Added cardupgrade.citi.com (from bug 1144726)

Comment 10

[Lawrence Mandel [:lmandel] (use needinfo)]

37 Beta 7 goes to build tomorrow (Thu, Mar 19). We need and r+ and an uplift request by tomorrow morning in order to ship this update in 37.

Comment 11

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8579424 [details] [diff] [review]
update_whitelist

Review of attachment 8579424 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM with comment addressed.

::: security/manager/ssl/src/IntolerantFallbackList.inc
@@ -20,2 @@
>    "ad401k.sbisec.co.jp",
> -  "adman.you.gr",

I don't think we should remove any sites where the only problem is an expired certificate. Users will be expecting to be able to still reach those sites by adding exceptions, and I imagine administrators are likely to renew the certificates without changing the cipher prefs.

Comment 12

[Masatoshi Kimura [:emk]]

Attachment: patch for chekin

* Restored certificate expired sites.
* Added watch.sportsnet.ca (bug 1144769).

Comment 13

[Masatoshi Kimura [:emk]]

Currently inbound is closed

Comment 14

[Masatoshi Kimura [:emk]]

Comment on attachment 8579658 [details] [diff] [review]
patch for chekin

Approval Request Comment
[Feature/regressing bug #]: N/A
[User impact if declined]: Users can not connect some sites.
[Describe test coverage new/current, TreeHerder]: tested locally
[Risks and why]: Very low. Only trivial changes to static data.
[String/UUID change made/needed]: none

Comment 15

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/d713f17f6575

Comment 16

[Lawrence Mandel [:lmandel] (use needinfo)]

Comment on attachment 8579658 [details] [diff] [review]
patch for chekin

This is a planned update to the whitelist before release. Beta+ Aurora+

Comment 17

[Ryan VanderMeulen [:RyanVM]]

This landed with the wrong bug number, FWIW. Try to be more careful in the future.

https://hg.mozilla.org/releases/mozilla-beta/rev/02b9c74353ad

Comment 18

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/d67a40476963

Comment 19

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/d713f17f6575