1267463 - add a more nuanced subject common name fallback option for prerelease channels

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler]]

In bug 1245280, we added functionality that prevented subject common name fallback during name matching (during certificate verification) on prerelease channels. This turned out to be a bit too restrictive because it shows the hostname mismatch error page for very old certificates (that are still valid). It would be better to have an option between "never fallback" and "fallback for certificates valid before 23 August 2016".

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Attachment: MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

Review commit: https://reviewboard.mozilla.org/r/49045/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/49045/

Comment 2

[J.C. Jones [:jcj] (he/they)]

Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

https://reviewboard.mozilla.org/r/49045/#review45867

There's something really amusing about a 2015 date being "really old".

LGTM.

Comment 3

[:Cykesiopka]

Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

https://reviewboard.mozilla.org/r/49045/#review45925

Looks good!

I assume we're going to uplift this to m-a as well?

::: security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js:59
(Diff revision 1)
>    do_print("current mode: always fall back, root not built-in");
>    checkCertOn25August2016(certFromFile("no-san-recent"),
>                            PRErrorCodeSuccess);
>    checkCertOn25August2016(certFromFile("no-san-old"),
>                            PRErrorCodeSuccess);
> +  checkCertOn25August2016(certFromFile("no-san-really-old"),

Optional: Maybe "no-san-more-old"? Like jcj, a date in 2015 doesn't strike me as "really old".

::: security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js:65
(Diff revision 1)
> +                          PRErrorCodeSuccess);
>    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
>                            PRErrorCodeSuccess);
>    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
>                            PRErrorCodeSuccess);
> +  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-really-old"),

Same "really old" comment as above.

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/49045/diff/1-2/

Comment 5

[J.C. Jones [:jcj] (he/they)]

https://reviewboard.mozilla.org/r/49045/#review46115

Comment 6

[Dana Keeler (she/her) (use needinfo) [:keeler]]

https://reviewboard.mozilla.org/r/49045/#review45925

Thanks for the reviews!
Uplifting is the plan.

> Optional: Maybe "no-san-more-old"? Like jcj, a date in 2015 doesn't strike me as "really old".

Sounds good (I went with "no-san-older").

Comment 7

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/431d60d0b211

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/431d60d0b211

Comment 10

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

Approval Request Comment
[Feature/regressing bug #]: bug 1245280
[User impact if declined]: spurious "wrong host" TLS errors on prerelease channels
[Describe test coverage new/current, TreeHerder]: has a test
[Risks and why]: low - this takes a preexisting feature and extends it a bit
[String/UUID change made/needed]: none

Comment 11

[Liz Henry (:lizzard) (relman/hg->git project)]

Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

We want nightly and aurora to behave the same for fallback. 
Please uplift to aurora.

Comment 12

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/9fef9b8ac198