Closed
Bug 1224481
Opened 9 years ago
Closed 9 years ago
Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
Attachments
(1 file)
40 bytes,
text/x-review-board-request
|
keeler
:
review+
ritu
:
approval-mozilla-aurora+
lizzard
:
approval-mozilla-beta-
lizzard
:
approval-mozilla-release-
|
Details |
NSS 3.21 removes some roots from the root store: Bug 1214729
Some of the roots are referred to by PreloadedHPKPins.json, which means the periodic HPKP updates (or manual updates) will fail once NSS 3.21 lands in m-c with an error similar to the following:
> JavaScript error: , line 0: uncaught exception: Can't find Verisign Class 4 Public Primary Certification Authority - G3 in certNameToSKD
Assignee | ||
Comment 1•9 years ago
|
||
Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
Attachment #8687222 -
Flags: review?(dkeeler)
Assignee | ||
Comment 2•9 years ago
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
https://reviewboard.mozilla.org/r/25149/#review22659
Good catch. Thanks for taking care of this.
Attachment #8687222 -
Flags: review?(dkeeler) → review+
Comment 4•9 years ago
|
||
You can land this with "DONTBUILD NPOTB" in the commit message since this isn't actually part of the build process.
Assignee | ||
Comment 5•9 years ago
|
||
Thanks for the review.
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> You can land this with "DONTBUILD NPOTB" in the commit message since this
> isn't actually part of the build process.
Heh, well, no L3 access, so whoever checks this in for me can I guess.
Keywords: checkin-needed
Keywords: checkin-needed
Comment 7•9 years ago
|
||
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
Approval Request Comment
[Feature/regressing bug #]: Required to land NSS 3.21 final with new root CAs. (blocks bug 1211568)
Attachment #8687222 -
Flags: approval-mozilla-aurora?
Comment 8•9 years ago
|
||
Sorry, I might have requested approval-aurora on the wrong bug.
But let me ask to be certain.
If NSS 3.21 lands on Aurora 44, should this land on Aurora 44, too?
If no, please remove my approval request. Thanks.
Flags: needinfo?(cykesiopka.bmo)
Assignee | ||
Comment 9•9 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #8)
> Sorry, I might have requested approval-aurora on the wrong bug.
>
> But let me ask to be certain.
>
> If NSS 3.21 lands on Aurora 44, should this land on Aurora 44, too?
>
> If no, please remove my approval request. Thanks.
This is the correct bug, don't worry.
This needs to land on Aurora 44 if NSS 3.21 (and the associate root removals) lands there as well.
Flags: needinfo?(cykesiopka.bmo)
Comment 10•9 years ago
|
||
The list of root certs that were removed or had the websites trust bit turned off in NSS 3.21 is here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes#Notable_Changes_in_NSS_3.21
Here's what I think needs to be commented out of PreloadedHPKPins.json
100 "Verisign Class 4 Public Primary Certification Authority - G3",
190 "Verisign Class 4 Public Primary Certification Authority - G3",
174 "TC TrustCenter Universal CA III",
180 "UTN DATACorp SGC Root CA",
148 "Equifax Secure CA",
Note, these previously had the Websites trust bit removed, so I think they should also be commented out:
173 "TC TrustCenter Class 3 CA II",
149 "Equifax Secure eBusiness CA 1",
151 "Equifax Secure Global eBusiness CA",
Comment 11•9 years ago
|
||
Thanks for pointing this out, Kathleen. I filed bug 1225288 to deal with the trust bit issues.
Comment 12•9 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
status-firefox44:
--- → affected
tracking-firefox44:
--- → +
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
This is needed as part of upgrading FF44 to use NSS 3.21. Let's uplift to Aurora44.
Attachment #8687222 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 14•9 years ago
|
||
bugherder uplift |
Comment 15•9 years ago
|
||
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
Approval Request Comment
[Feature/regressing bug #]: 1224481
[User impact if declined]: Security changes in bug 1211568
[Describe test coverage new/current, TreeHerder]: Plenty of time in Nightly and Aurora.
[Risks and why]: None
[String/UUID change made/needed]: None
Attachment #8687222 -
Flags: approval-mozilla-beta?
Comment 16•9 years ago
|
||
Tracking for 43 since we intend to uplift to beta.
status-firefox43:
--- → affected
tracking-firefox43:
--- → +
Comment 17•9 years ago
|
||
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
Approved for uplift to beta and m-r. We'd like to get this into the 43 RC build today.
Attachment #8687222 -
Flags: approval-mozilla-release+
Attachment #8687222 -
Flags: approval-mozilla-beta?
Attachment #8687222 -
Flags: approval-mozilla-beta+
Comment 18•9 years ago
|
||
Comment on attachment 8687222 [details]
MozReview Request: Bug 1224481 - Comment out CA certs removed in NSS 3.21 in PreloadedHPKPins.json to keep periodic Static HPKP updates working.
On further discussion let's not uplift this; we haven't merged it yet into 43. If we need to get it into 43 before the planned disclosure, I think it would be better to have more time and plan it as a 43 dot release.
Attachment #8687222 -
Flags: approval-mozilla-release-
Attachment #8687222 -
Flags: approval-mozilla-release+
Attachment #8687222 -
Flags: approval-mozilla-beta-
Attachment #8687222 -
Flags: approval-mozilla-beta+
Comment 19•9 years ago
|
||
The update in bug 1158489 didn't need these changes; wontfix for 43.
You need to log in
before you can comment on or make changes to this bug.
Description
•