Closed Bug 1254667 Opened 5 years ago Closed 5 years ago
switch certificate verification SHA1 policy to "allow for locally-installed roots"
MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj
58 bytes, text/x-review-board-request
Currently our SHA1 policy for certificate verification is "allow all" (due to compatibility issues with local MITM software). Telemetry indicates that we should be able to switch it into "allow for locally-installed roots" with negligible compatibility impact. (See http://mzl.la/1RQguoG - everything in bucket 4 would become an overridable error. Bucket 5 is the current error rate, which is 4 orders of magnitude larger than bucket 4).
5 years ago
Before this patch, the default policy for the use of SHA1 in certificate signatures was "allow all" due to compatibility concerns. After gathering telemetry, we are confident that we can enforce the policy of "allow for locally-installed roots" (or certificates valid before 2016) without too much breakage. Review commit: https://reviewboard.mozilla.org/r/42849/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/42849/
Attachment #8735555 - Flags: review?(jjones)
Comment on attachment 8735555 [details] MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj https://reviewboard.mozilla.org/r/42849/#review39375 Simple; LGTM.
Attachment #8735555 - Flags: review?(jjones) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/c61726fe9e64 for android S4 bustage like https://treeherder.mozilla.org/logviewer.html#?job_id=24819209&repo=mozilla-inbound Android didn't run on the try push, so I manually triggered it there to see if it pops up in the try push. Guess we'll have results in an hour or so.
Comment on attachment 8735555 [details] MozReview Request: bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r?jcj Review request updated; see interdiff: https://reviewboard.mozilla.org/r/42849/diff/1-2/
So, it turns out there was a bug in the original patch - collected pinning telemetry would get reset prematurely, essentially. It looks like the different behavior on android S4 vs. regular xpcshell has something to do with what prefs are picked up, so I changed the patch to set the appropriate pref for the entire platform. I also modified the relevant tests to set the pref themselves so that if we ever have to have different pref defaults on different platforms, those tests will still work as expected. New try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ae0c58fae4ed
4 years ago
See Also: → 942515
It's late but updated the site compatibility doc: https://www.fxsitecompat.com/en-CA/docs/2015/sha-1-based-certificates-with-validity-period-from-2016-will-not-be-validated/
You need to log in before you can comment on or make changes to this bug.