Closed
Bug 1254667
Opened 9 years ago
Closed 9 years ago
switch certificate verification SHA1 policy to "allow for locally-installed roots"
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
References
Details
(Keywords: dev-doc-needed, site-compat, Whiteboard: [psm-assigned])
Attachments
(1 file)
Currently our SHA1 policy for certificate verification is "allow all" (due to compatibility issues with local MITM software). Telemetry indicates that we should be able to switch it into "allow for locally-installed roots" with negligible compatibility impact. (See http://mzl.la/1RQguoG - everything in bucket 4 would become an overridable error. Bucket 5 is the current error rate, which is 4 orders of magnitude larger than bucket 4).
|
Assignee | |
Updated•9 years ago
|
Whiteboard: [psm-assigned]
|
|
Assignee | |
Comment 1•9 years ago
|
||
Before this patch, the default policy for the use of SHA1 in certificate
signatures was "allow all" due to compatibility concerns.
After gathering telemetry, we are confident that we can enforce the policy of
"allow for locally-installed roots" (or certificates valid before 2016) without
too much breakage.
Review commit: https://reviewboard.mozilla.org/r/42849/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/42849/
Attachment #8735555 -
Flags: review?(jjones)
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8735555 [details]
MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj
https://reviewboard.mozilla.org/r/42849/#review39375
Simple; LGTM.
Attachment #8735555 -
Flags: review?(jjones) → review+
|
|
Assignee | |
Comment 3•9 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/c61726fe9e64 for android S4 bustage like https://treeherder.mozilla.org/logviewer.html#?job_id=24819209&repo=mozilla-inbound
Android didn't run on the try push, so I manually triggered it there to see if it pops up in the try push. Guess we'll have results in an hour or so.
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 6•9 years ago
|
||
Comment on attachment 8735555 [details]
MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/42849/diff/1-2/
|
|
Assignee | |
Comment 7•9 years ago
|
||
So, it turns out there was a bug in the original patch - collected pinning telemetry would get reset prematurely, essentially. It looks like the different behavior on android S4 vs. regular xpcshell has something to do with what prefs are picked up, so I changed the patch to set the appropriate pref for the entire platform. I also modified the relevant tests to set the pref themselves so that if we ever have to have different pref defaults on different platforms, those tests will still work as expected.
New try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ae0c58fae4ed
Flags: needinfo?(dkeeler)
|
|
||
Comment 8•9 years ago
|
||
|
||
Comment 10•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
|
||
Updated•8 years ago
|
Keywords: dev-doc-needed,
site-compat
|
|
||
Comment 11•8 years ago
|
||
It's late but updated the site compatibility doc: https://www.fxsitecompat.com/en-CA/docs/2015/sha-1-based-certificates-with-validity-period-from-2016-will-not-be-validated/
You need to log in
before you can comment on or make changes to this bug.
Description
•