Closed Bug 1304919 Opened 9 years ago Closed 9 years ago

Update Firefox to NSS trunk (3.28)

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
relnote-firefox --- 51+
firefox51 --- fixed
firefox52 --- fixed

People

(Reporter: ekr, Unassigned)

References

Details

Attachments

(8 files, 1 obsolete file)

- Update Firefox to NSS trunk (fix PSM)
299 bytes, patch
Details | Diff | Splinter Review
Update NSS
58 bytes, text/x-review-board-request
mt
: review-
Details
TLS 1.3 draft-16 adaptation
58 bytes, text/x-review-board-request
mt
: review+
Details
Bug 1304919 -- Update Firefox to NSS trunk (fix PSM)
58 bytes, text/x-review-board-request
mt
: review-
Details
Bug 1304919 - Update Firefox to NSS trunk,
58 bytes, text/x-review-board-request
mt
: review+
Details
Bug 1304919 - PSM changes to support TLS 1.3 key exchange,
58 bytes, text/x-review-board-request
mt
: review+
lizzard
: approval-mozilla-beta+
Details
Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite,
58 bytes, text/x-review-board-request
ekr
: review+
lizzard
: approval-mozilla-beta+
Details
Bug 1304919 - Update WebRTC to latest NSS,
58 bytes, text/x-review-board-request
ekr
: review+
lizzard
: approval-mozilla-beta+
Details
Attached patch - Update Firefox to NSS trunk (fix PSM) (obsolete) — — Splinter Review
MozReview-Commit-ID: CKlvRQ5CsrT
MozReview-Commit-ID: A2SInDEZnnF
Attachment #8794014 - Attachment is obsolete: true
Comment on attachment 8794020 [details] Update NSS https://reviewboard.mozilla.org/r/80584/#review79288 Fix the commit message and add eccutil.h (hg add).
Attachment #8794020 - Flags: review-
Attachment #8794021 - Flags: review?(dkeeler)
Comment on attachment 8794022 [details] Bug 1304919 -- Update Firefox to NSS trunk (fix PSM) https://reviewboard.mozilla.org/r/80588/#review79292 ::: security/manager/ssl/nsNSSCallbacks.cpp (Diff revision 1) > - MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Auth Type=%d\n", > - channelInfo.authType)); Squash this.
Attachment #8794022 - Flags: review-
Comment on attachment 8794021 [details] TLS 1.3 draft-16 adaptation https://reviewboard.mozilla.org/r/80586/#review79294 Fix the commit message and squash the next.
Attachment #8794021 - Flags: review+
Attachment #8794021 - Flags: review?(dkeeler)
Blocks: 1304923
Blocks: 1304926
Blocks: 1304927
Comment on attachment 8794049 [details] Bug 1304919 - Update Firefox to NSS trunk, https://reviewboard.mozilla.org/r/80630/#review79324
Attachment #8794049 - Flags: review?(martin.thomson) → review+
Comment on attachment 8794050 [details] Bug 1304919 - PSM changes to support TLS 1.3 key exchange, https://reviewboard.mozilla.org/r/80632/#review79326 Fix that extra line. ::: security/manager/ssl/nsNSSCallbacks.cpp:1178 (Diff revision 1) > + MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Auth Type=%d\n", > + channelInfo.authType)); Gah
Attachment #8794050 - Flags: review?(martin.thomson) → review+
Comment on attachment 8794051 [details] Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite, https://reviewboard.mozilla.org/r/80634/#review79388 LGTM
Comment on attachment 8794052 [details] Bug 1304919 - Update WebRTC to latest NSS, https://reviewboard.mozilla.org/r/80636/#review79390 ::: media/mtransport/transportlayerdtls.cpp:461 (Diff revision 2) > + ssl_grp_ffdhe_2048, > + ssl_grp_ffdhe_3072 > +}; Is there any actual point in enabling the FFDHE groups? IIRC the only counterparties who support FFDHE don't implement 7919 ::: media/mtransport/transportlayerdtls.cpp:599 (Diff revision 2) > + rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences, > + mozilla::ArrayLength(NamedGroupPreferences)); > + if (rv != SECSuccess) { > + MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse"); > + return false; > + } > + Need to fix cut-and-pasted error message. ::: media/mtransport/transportlayerdtls.cpp:709 (Diff revision 2) > TLS_RSA_WITH_AES_128_GCM_SHA256, > + TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256, This feels like it reveals a weakness in this design :)
Comment on attachment 8794052 [details] Bug 1304919 - Update WebRTC to latest NSS, https://reviewboard.mozilla.org/r/80636/#review79390 > Is there any actual point in enabling the FFDHE groups? IIRC the only counterparties who support FFDHE don't implement 7919 Yes, because if we don't enable them, then - as a server - we won't do DHE suites. > This feels like it reveals a weakness in this design :) Yeah, but we the alternative is much more complicated. This works well enough. (And negotiating that cipher suite isn't the end of the world.)
Comment on attachment 8794052 [details] Bug 1304919 - Update WebRTC to latest NSS, https://reviewboard.mozilla.org/r/80636/#review79572 LGTM
Attachment #8794052 - Flags: review?(ekr) → review+
Comment on attachment 8794051 [details] Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite, https://reviewboard.mozilla.org/r/80634/#review79570 This continues to LGTM
Attachment #8794051 - Flags: review?(ekr) → review+
Pushed by martin.thomson@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d7e412fddbbc Update Firefox to NSS trunk, r=mt https://hg.mozilla.org/integration/mozilla-inbound/rev/b54d608edfa8 PSM changes to support TLS 1.3 key exchange, r=mt https://hg.mozilla.org/integration/mozilla-inbound/rev/bb62ee48735e Update TLS server tests to expect TLS 1.3 cipher suite, r=ekr https://hg.mozilla.org/integration/mozilla-inbound/rev/f1aace586e14 Update WebRTC to latest NSS, r=ekr
I think that I understand what is going on, strange that it's only the OSX 10.10 build that burned though. I updated NSS twice in developing the patch. The script that updates NSS toggles a useless change in security/nss/coreconf/coreconf.dep, which apparently the build system uses as a trigger to clobber just NSS. This doesn't cause any problems on try, but apparently we don't do clobber builds on inbound, so it burned up. More justification to work on bug 1237872. I've another try build, which I will check in on and land if it looks moderately good. I've picked up a few more NSS commits in the process, but none that should affect Firefox: https://treeherder.mozilla.org/#/jobs?repo=try&revision=11b6add1747f
Flags: needinfo?(martin.thomson)
Depends on: 1306003
Comment on attachment 8794050 [details] Bug 1304919 - PSM changes to support TLS 1.3 key exchange, This is one of three supporting patches for the NSS 3.28 uplift to Beta. See bug 1305970
Attachment #8794050 - Flags: approval-mozilla-beta?
Comment on attachment 8794051 [details] Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite, This is one of three supporting patches for the 3.28 uplift to Beta. See approval in bug 1305970
Attachment #8794051 - Flags: approval-mozilla-beta?
Comment on attachment 8794052 [details] Bug 1304919 - Update WebRTC to latest NSS, This is one of three supporting patched for the 3.28 uplift to Beta. See approval in bug 1305970
Attachment #8794052 - Flags: approval-mozilla-beta?
Specifically see: https://bugzilla.mozilla.org/show_bug.cgi?id=1305970#c47
Flags: needinfo?(lhenry)
Comment on attachment 8794050 [details] Bug 1304919 - PSM changes to support TLS 1.3 key exchange, OK to uplift to beta 51.
Flags: needinfo?(lhenry)
Attachment #8794050 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8794051 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8794052 [details] Bug 1304919 - Update WebRTC to latest NSS, OK for beta 51.
Attachment #8794052 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Gerry, can you add this to the release notes, Updated to NSS 3.28.1 - with a link to https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.1_release_notes ? I am having some trouble getting into Nucleus right now, so i'm asking you in case I don't get it fixed today. Thanks!
relnote-firefox: --- → 51+
Flags: needinfo?(gchang)
I got the login issue straightened out. Release note added.
Flags: needinfo?(gchang)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: