Closed Bug 1224481 Opened 4 years ago Closed 4 years ago

Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox43 + wontfix
firefox44 + fixed
firefox45 --- fixed

People

(Reporter: Cykesiopka, Assigned: Cykesiopka)

References

Details

Attachments

(1 file)

NSS 3.21 removes some roots from the root store: Bug 1214729

Some of the roots are referred to by PreloadedHPKPins.json, which means the periodic HPKP updates (or manual updates) will fail once NSS 3.21 lands in m-c with an error similar to the following:
> JavaScript error: , line 0: uncaught exception: Can't find Verisign Class 4 Public Primary Certification Authority - G3 in certNameToSKD
Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
Attachment #8687222 - Flags: review?(dkeeler)
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.

https://reviewboard.mozilla.org/r/25149/#review22659

Good catch. Thanks for taking care of this.
Attachment #8687222 - Flags: review?(dkeeler) → review+
You can land this with "DONTBUILD NPOTB" in the commit message since this isn't actually part of the build process.
Thanks for the review.

(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> You can land this with "DONTBUILD NPOTB" in the commit message since this
> isn't actually part of the build process.

Heh, well, no L3 access, so whoever checks this in for me can I guess.
Keywords: checkin-needed
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.

Approval Request Comment
[Feature/regressing bug #]: Required to land NSS 3.21 final with new root CAs. (blocks bug 1211568)
Attachment #8687222 - Flags: approval-mozilla-aurora?
Sorry, I might have requested approval-aurora on the wrong bug.

But let me ask to be certain.

If NSS 3.21 lands on Aurora 44, should this land on Aurora 44, too?

If no, please remove my approval request. Thanks.
Flags: needinfo?(cykesiopka.bmo)
(In reply to Kai Engert (:kaie) from comment #8)
> Sorry, I might have requested approval-aurora on the wrong bug.
> 
> But let me ask to be certain.
> 
> If NSS 3.21 lands on Aurora 44, should this land on Aurora 44, too?
> 
> If no, please remove my approval request. Thanks.

This is the correct bug, don't worry.
This needs to land on Aurora 44 if NSS 3.21 (and the associate root removals) lands there as well.
Flags: needinfo?(cykesiopka.bmo)
The list of root certs that were removed or had the websites trust bit turned off in NSS 3.21 is here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes#Notable_Changes_in_NSS_3.21

Here's what I think needs to be commented out of PreloadedHPKPins.json
100         "Verisign Class 4 Public Primary Certification Authority - G3",
190         "Verisign Class 4 Public Primary Certification Authority - G3",
174         "TC TrustCenter Universal CA III",
180         "UTN DATACorp SGC Root CA",
148         "Equifax Secure CA",

Note, these previously had the Websites trust bit removed, so I think they should also be commented out:
173         "TC TrustCenter Class 3 CA II",
149         "Equifax Secure eBusiness CA 1",
151         "Equifax Secure Global eBusiness CA",
Thanks for pointing this out, Kathleen. I filed bug 1225288 to deal with the trust bit issues.
https://hg.mozilla.org/mozilla-central/rev/f191524a1f14
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.

This is needed as part of upgrading FF44 to use NSS 3.21. Let's uplift to Aurora44.
Attachment #8687222 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.

Approval Request Comment
[Feature/regressing bug #]: 1224481
[User impact if declined]: Security changes in bug 1211568
[Describe test coverage new/current, TreeHerder]: Plenty of time in Nightly and Aurora.
[Risks and why]: None
[String/UUID change made/needed]: None
Attachment #8687222 - Flags: approval-mozilla-beta?
Tracking for 43 since we intend to uplift to beta.
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.


Approved for uplift to beta and m-r. We'd like to get this into the 43 RC build today.
Attachment #8687222 - Flags: approval-mozilla-release+
Attachment #8687222 - Flags: approval-mozilla-beta?
Attachment #8687222 - Flags: approval-mozilla-beta+
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.

On further discussion let's not uplift this; we haven't merged it yet into 43. If we need to get it into 43 before the planned disclosure, I think it would be better to have more time and plan it as a 43 dot release.
Attachment #8687222 - Flags: approval-mozilla-release-
Attachment #8687222 - Flags: approval-mozilla-release+
Attachment #8687222 - Flags: approval-mozilla-beta-
Attachment #8687222 - Flags: approval-mozilla-beta+
The update in bug 1158489 didn't need these changes; wontfix for 43.
You need to log in before you can comment on or make changes to this bug.