Closed Bug 1289865 Opened 3 years ago Closed 3 years ago

investigate adding CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY to enterprise roots support on Windows

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
relnote-firefox --- -
firefox50 --- affected
firefox52 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

(From Bruno Marsal (Bullja) from bug 1265113 comment #42)
> In addition to CERT_SYSTEM_STORE_LOCAL_MACHINE, I suggest to also read the
> CAs from CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY. Root CAs distributed
> using AD Group Policies are located within this system store.
> 
> Without FF reading from CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY also,
> admins would need to locally move Root CAs from
> CERT_SYSTEM_STORE_LOCAL_MACHINE to
> CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY to take advantage of
> security.enterprise_roots.enabled.
(In reply to David Keeler [:keeler] (use needinfo?) from comment #0)
> (From Bruno Marsal (Bullja) from bug 1265113 comment #42)

Looks like this should have been:

> > Without FF reading from CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY also,
> > admins would need to locally move Root CAs from
> > CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY to
> > CERT_SYSTEM_STORE_LOCAL_MACHINE to take advantage of
> > security.enterprise_roots.enabled.

(with LM and LMGP switched)
Assignee: nobody → dkeeler
Priority: P2 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
Following some enterprise-list discussion [1]: please also include CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, as this location is used for distributing trusted certificates in enterprise environments [2].

[1] https://mail.mozilla.org/private/enterprise/2016-September/007069.html
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396#CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
Matt - just giving you a heads-up that we'll probably need to involve QA a bit with this change. Thanks!
QA Contact: mwobensmith
Comment on attachment 8798669 [details]
bug 1289865 - look in more registry locations for enterprise roots

https://reviewboard.mozilla.org/r/84100/#review82836

Looks good, assuming a green try run.
I'm going to assume that these locations were all confirmed as OK to import from, or that mhowell will confirm during his review.
Attachment #8798669 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8798669 [details]
bug 1289865 - look in more registry locations for enterprise roots

https://reviewboard.mozilla.org/r/84100/#review82842

Yep, looks good. Both these stores should definitely be safe to import, because they're empty unless populated by Active Directory or custom local policy.
Attachment #8798669 - Flags: review?(mhowell) → review+
Kamil, just FYI - we're probably going to have to update our test plan so that we use these additional locations for certificate import.
Flags: needinfo?(kjozwiak)
Thanks!
Here's the try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f37f2cdd150f
That build failure appears to be an unrelated intermittent.
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a0b724958434
look in more registry locations for enterprise roots r=Cykesiopka,mhowell
https://hg.mozilla.org/mozilla-central/rev/a0b724958434
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Duplicate of this bug: 1305735
Duplicate of this bug: 1333118
:keeler when will v52 be released GA?
disregard previous question
Release Note Request (optional, but appreciated)
[Why is this notable]:

For enterprise users in particular, having Firefox trust the same root certificates that the OS trusts has been a pain point for a long time. As of the implementation of this bug (and bug 1265113), flipping the new pref should make this "just work". Since 52 is the first time this feature is available for ESR, we should point it out.

[Affects Firefox for Android]: no

[Suggested wording]:

Root certificates added to the Windows trust store can be used by Firefox by setting the preference "security.enterprise_roots.enabled" to true

[Links (documentation, blog post, etc)]:

https://wiki.mozilla.org/CA:AddRootToFirefox
https://mike.kaply.com/2016/09/01/upcoming-changes-to-root-certificates-in-firefox-on-windows/
relnote-firefox: --- → ?
Flags: needinfo?(kjozwiak)
I don't think we noted this for 52, at least not in release: https://www.mozilla.org/en-US/firefox/52.0/releasenotes/

keeler, was this still true on 52 release? We can go add a release note even now just for the sake of completion.
Flags: needinfo?(dkeeler)
Yes, this was in both the ESR and the regular 52 release.
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.