Closed Bug 1267463 Opened 8 years ago Closed 8 years ago

add a more nuanced subject common name fallback option for prerelease channels

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox48 --- fixed
firefox49 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

In bug 1245280, we added functionality that prevented subject common name fallback during name matching (during certificate verification) on prerelease channels. This turned out to be a bit too restrictive because it shows the hostname mismatch error page for very old certificates (that are still valid). It would be better to have an option between "never fallback" and "fallback for certificates valid before 23 August 2016".
Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

https://reviewboard.mozilla.org/r/49045/#review45867

There's something really amusing about a 2015 date being "really old".

LGTM.
Attachment #8745555 - Flags: review?(jjones) → review+
Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

https://reviewboard.mozilla.org/r/49045/#review45925

Looks good!

I assume we're going to uplift this to m-a as well?

::: security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js:59
(Diff revision 1)
>    do_print("current mode: always fall back, root not built-in");
>    checkCertOn25August2016(certFromFile("no-san-recent"),
>                            PRErrorCodeSuccess);
>    checkCertOn25August2016(certFromFile("no-san-old"),
>                            PRErrorCodeSuccess);
> +  checkCertOn25August2016(certFromFile("no-san-really-old"),

Optional: Maybe "no-san-more-old"? Like jcj, a date in 2015 doesn't strike me as "really old".

::: security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js:65
(Diff revision 1)
> +                          PRErrorCodeSuccess);
>    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
>                            PRErrorCodeSuccess);
>    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
>                            PRErrorCodeSuccess);
> +  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-really-old"),

Same "really old" comment as above.
Attachment #8745555 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/49045/diff/1-2/
https://reviewboard.mozilla.org/r/49045/#review45925

Thanks for the reviews!
Uplifting is the plan.

> Optional: Maybe "no-san-more-old"? Like jcj, a date in 2015 doesn't strike me as "really old".

Sounds good (I went with "no-san-older").
https://hg.mozilla.org/mozilla-central/rev/431d60d0b211
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

Approval Request Comment
[Feature/regressing bug #]: bug 1245280
[User impact if declined]: spurious "wrong host" TLS errors on prerelease channels
[Describe test coverage new/current, TreeHerder]: has a test
[Risks and why]: low - this takes a preexisting feature and extends it a bit
[String/UUID change made/needed]: none
Attachment #8745555 - Flags: approval-mozilla-aurora?
Comment on attachment 8745555 [details]
MozReview Request: bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels

We want nightly and aurora to behave the same for fallback. 
Please uplift to aurora.
Attachment #8745555 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.