Fallback whitelist update: late-March 2015

RESOLVED FIXED in Firefox 37

Status

()

Core
Security: PSM
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: emk, Assigned: emk)

Tracking

37 Branch
mozilla39
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox37+ fixed, firefox38+ fixed, firefox39+ fixed)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

3 years ago
+++ This bug was initially created as a clone of Bug #1133187 +++

I would like to land this before the next merge.
(Assignee)

Comment 1

3 years ago
[Tracking Requested - why for this release]:
status-firefox37: --- → unaffected
status-firefox38: --- → unaffected
status-firefox39: --- → affected
tracking-firefox39: --- → ?
(Assignee)

Comment 2

3 years ago
Ah, this is also needed for the version fallback.
status-firefox37: unaffected → affected
status-firefox38: unaffected → affected
OK, sounds like we should track (and probably uplift) whatever ends up on this whitelist all the way to beta (37).
tracking-firefox37: --- → +
tracking-firefox38: --- → +
tracking-firefox39: ? → +
Hi emk, the last 37 Beta goes to build this Thu, Mar 19 if you are still looking to land a new whitelist and request uplift to 37.
Flags: needinfo?(VYV03354)
(Assignee)

Comment 5

3 years ago
Created attachment 8579371 [details] [diff] [review]
update_whitelist

* Added sites from bug 1126620 blockers and bug 1138101 blockers.
* Added sites from bug 1126620 comment #12.
* Removed fixed sites.
* Removed following sites (please double check).
https://adman.you.gr (certificate expired)
https://startrekonline.com (certificate expired)
https://webctmt.lau.edu.lb (consistently fails to connect)
https://www.3zai.com (unknown host)
https://www.bookstore.ccbcmd.edu (unknown host)
https://www.emihub.com (certificate expired)
https://www.expohotelbarcelona.com (consistently fails to connect)
https://www.htsec.com (consistently fails to connect)
https://www.oxendales.co.uk (consistently fails to connect)
https://www.startrekonline.com (certificate expired)
Flags: needinfo?(VYV03354)
Attachment #8579371 - Flags: review?(dkeeler)

Comment 6

3 years ago
(In reply to Masatoshi Kimura [:emk] from comment #5)
> * Removed following sites (please double check).
> https://adman.you.gr (certificate expired)
> https://startrekonline.com (certificate expired)
> https://webctmt.lau.edu.lb (consistently fails to connect)
> https://www.3zai.com (unknown host)
> https://www.bookstore.ccbcmd.edu (unknown host)
> https://www.emihub.com (certificate expired)
> https://www.expohotelbarcelona.com (consistently fails to connect)
> https://www.htsec.com (consistently fails to connect)
> https://www.oxendales.co.uk (consistently fails to connect)
> https://www.startrekonline.com (certificate expired)

Same results here, except https://www.bookstore.ccbcmd.edu seems to be reachable via Fx38, IE11 and SSL Labs (although it just redirects to HTTP).

Also, I assume omitting the entries from the lists in Bug 1124039 comment 58 and Bug 1138101 comment 4 is intentional since 37 only needs to concern itself with TLS intolerance?
(Assignee)

Comment 7

3 years ago
(In reply to Cykesiopka from comment #6)
> Also, I assume omitting the entries from the lists in Bug 1124039 comment 58
> and Bug 1138101 comment 4 is intentional since 37 only needs to concern
> itself with TLS intolerance?

Yes, and also 38 after bug 1138882 uplift with the pref default-enabled.
(Assignee)

Comment 8

3 years ago
(In reply to Cykesiopka from comment #6)
> Same results here, except https://www.bookstore.ccbcmd.edu seems to be
> reachable via Fx38, IE11 and SSL Labs (although it just redirects to HTTP).

Oh, indeed Google Public DNS found www.bookstore.ccbcmd.edu while my local DNS server didn't.
(Assignee)

Comment 9

3 years ago
Created attachment 8579424 [details] [diff] [review]
update_whitelist

* Added back www.bookstore.ccbcmd.edu.
* Added cardupgrade.citi.com (from bug 1144726)
Attachment #8579371 - Attachment is obsolete: true
Attachment #8579424 - Flags: review?(dkeeler)
Attachment #8579371 - Flags: review?(dkeeler)
Assignee: nobody → VYV03354
37 Beta 7 goes to build tomorrow (Thu, Mar 19). We need and r+ and an uplift request by tomorrow morning in order to ship this update in 37.
Flags: needinfo?(dkeeler)
Flags: needinfo?(VYV03354)
Comment on attachment 8579424 [details] [diff] [review]
update_whitelist

Review of attachment 8579424 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM with comment addressed.

::: security/manager/ssl/src/IntolerantFallbackList.inc
@@ -20,2 @@
>    "ad401k.sbisec.co.jp",
> -  "adman.you.gr",

I don't think we should remove any sites where the only problem is an expired certificate. Users will be expecting to be able to still reach those sites by adding exceptions, and I imagine administrators are likely to renew the certificates without changing the cipher prefs.
Attachment #8579424 - Flags: review?(dkeeler) → review+
Flags: needinfo?(dkeeler)
(Assignee)

Comment 12

3 years ago
Created attachment 8579658 [details] [diff] [review]
patch for chekin

* Restored certificate expired sites.
* Added watch.sportsnet.ca (bug 1144769).
Attachment #8579424 - Attachment is obsolete: true
Flags: needinfo?(VYV03354)
Attachment #8579658 - Flags: review+
(Assignee)

Comment 13

3 years ago
Currently inbound is closed
Keywords: checkin-needed
(Assignee)

Comment 14

3 years ago
Comment on attachment 8579658 [details] [diff] [review]
patch for chekin

Approval Request Comment
[Feature/regressing bug #]: N/A
[User impact if declined]: Users can not connect some sites.
[Describe test coverage new/current, TreeHerder]: tested locally
[Risks and why]: Very low. Only trivial changes to static data.
[String/UUID change made/needed]: none
Attachment #8579658 - Flags: approval-mozilla-beta?
Attachment #8579658 - Flags: approval-mozilla-aurora?

Updated

3 years ago
Keywords: checkin-needed
Comment on attachment 8579658 [details] [diff] [review]
patch for chekin

This is a planned update to the whitelist before release. Beta+ Aurora+
Attachment #8579658 - Flags: approval-mozilla-beta?
Attachment #8579658 - Flags: approval-mozilla-beta+
Attachment #8579658 - Flags: approval-mozilla-aurora?
Attachment #8579658 - Flags: approval-mozilla-aurora+
This landed with the wrong bug number, FWIW. Try to be more careful in the future.

https://hg.mozilla.org/releases/mozilla-beta/rev/02b9c74353ad
status-firefox37: affected → fixed
https://hg.mozilla.org/mozilla-central/rev/d713f17f6575
status-firefox39: affected → fixed
Target Milestone: --- → mozilla39
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Assignee)

Updated

3 years ago
Blocks: 1145844
You need to log in before you can comment on or make changes to this bug.