Closed Bug 1254667 Opened 5 years ago Closed 5 years ago

switch certificate verification SHA1 policy to "allow for locally-installed roots"

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Keywords: dev-doc-needed, site-compat, Whiteboard: [psm-assigned])

Attachments

(1 file)

Currently our SHA1 policy for certificate verification is "allow all" (due to compatibility issues with local MITM software). Telemetry indicates that we should be able to switch it into "allow for locally-installed roots" with negligible compatibility impact. (See http://mzl.la/1RQguoG - everything in bucket 4 would become an overridable error. Bucket 5 is the current error rate, which is 4 orders of magnitude larger than bucket 4).
Whiteboard: [psm-assigned]
Before this patch, the default policy for the use of SHA1 in certificate
signatures was "allow all" due to compatibility concerns.
After gathering telemetry, we are confident that we can enforce the policy of
"allow for locally-installed roots" (or certificates valid before 2016) without
too much breakage.

Review commit: https://reviewboard.mozilla.org/r/42849/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/42849/
Attachment #8735555 - Flags: review?(jjones)
Comment on attachment 8735555 [details]
MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj

https://reviewboard.mozilla.org/r/42849/#review39375

Simple; LGTM.
Attachment #8735555 - Flags: review?(jjones) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/c61726fe9e64 for android S4 bustage like https://treeherder.mozilla.org/logviewer.html#?job_id=24819209&repo=mozilla-inbound


Android didn't run on the try push, so I manually triggered it there to see if it pops up in the try push. Guess we'll have results in an hour or so.
Flags: needinfo?(dkeeler)
Comment on attachment 8735555 [details]
MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/42849/diff/1-2/
So, it turns out there was a bug in the original patch - collected pinning telemetry would get reset prematurely, essentially. It looks like the different behavior on android S4 vs. regular xpcshell has something to do with what prefs are picked up, so I changed the patch to set the appropriate pref for the entire platform. I also modified the relevant tests to set the pref themselves so that if we ever have to have different pref defaults on different platforms, those tests will still work as expected.

New try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ae0c58fae4ed
Flags: needinfo?(dkeeler)
https://hg.mozilla.org/mozilla-central/rev/8772f2293eab
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.