Closed Bug 1304919 Opened 3 years ago Closed 3 years ago

Update Firefox to NSS trunk (3.28)

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
relnote-firefox --- 51+
firefox51 --- fixed
firefox52 --- fixed

People

(Reporter: ekr, Unassigned)

References

Details

Attachments

(8 files, 1 obsolete file)

MozReview-Commit-ID: CKlvRQ5CsrT
MozReview-Commit-ID: A2SInDEZnnF
Attachment #8794014 - Attachment is obsolete: true
Comment on attachment 8794020 [details]
Update NSS

https://reviewboard.mozilla.org/r/80584/#review79288

Fix the commit message and add eccutil.h (hg add).
Attachment #8794020 - Flags: review-
Attachment #8794021 - Flags: review?(dkeeler)
Comment on attachment 8794022 [details]
Bug 1304919 -- Update Firefox to NSS trunk (fix PSM)

https://reviewboard.mozilla.org/r/80588/#review79292

::: security/manager/ssl/nsNSSCallbacks.cpp
(Diff revision 1)
> -              MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Auth Type=%d\n",
> -                                                    channelInfo.authType));

Squash this.
Attachment #8794022 - Flags: review-
Comment on attachment 8794021 [details]
TLS 1.3 draft-16 adaptation

https://reviewboard.mozilla.org/r/80586/#review79294

Fix the commit message and squash the next.
Attachment #8794021 - Flags: review+
Attachment #8794021 - Flags: review?(dkeeler)
Blocks: 1304923
Blocks: 1304926
Blocks: 1304927
Duplicate of this bug: 1304921
Comment on attachment 8794049 [details]
Bug 1304919 - Update Firefox to NSS trunk,

https://reviewboard.mozilla.org/r/80630/#review79324
Attachment #8794049 - Flags: review?(martin.thomson) → review+
Comment on attachment 8794050 [details]
Bug 1304919 - PSM changes to support TLS 1.3 key exchange,

https://reviewboard.mozilla.org/r/80632/#review79326

Fix that extra line.

::: security/manager/ssl/nsNSSCallbacks.cpp:1178
(Diff revision 1)
> +              MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Auth Type=%d\n",
> +                                                    channelInfo.authType));

Gah
Attachment #8794050 - Flags: review?(martin.thomson) → review+
Comment on attachment 8794051 [details]
Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite,

https://reviewboard.mozilla.org/r/80634/#review79388

LGTM
Comment on attachment 8794052 [details]
Bug 1304919 - Update WebRTC to latest NSS,

https://reviewboard.mozilla.org/r/80636/#review79390

::: media/mtransport/transportlayerdtls.cpp:461
(Diff revision 2)
> +  ssl_grp_ffdhe_2048,
> +  ssl_grp_ffdhe_3072
> +};

Is there any actual point in enabling the FFDHE groups? IIRC the only counterparties who support FFDHE don't implement 7919

::: media/mtransport/transportlayerdtls.cpp:599
(Diff revision 2)
> +  rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences,
> +                            mozilla::ArrayLength(NamedGroupPreferences));
> +  if (rv != SECSuccess) {
> +    MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse");
> +    return false;
> +  }
> +

Need to fix cut-and-pasted error message.

::: media/mtransport/transportlayerdtls.cpp:709
(Diff revision 2)
>    TLS_RSA_WITH_AES_128_GCM_SHA256,
> +  TLS_RSA_WITH_AES_256_GCM_SHA384,
>    TLS_RSA_WITH_AES_128_CBC_SHA,
>    TLS_RSA_WITH_AES_128_CBC_SHA256,

This feels like it reveals a weakness in this design :)
Comment on attachment 8794052 [details]
Bug 1304919 - Update WebRTC to latest NSS,

https://reviewboard.mozilla.org/r/80636/#review79390

> Is there any actual point in enabling the FFDHE groups? IIRC the only counterparties who support FFDHE don't implement 7919

Yes, because if we don't enable them, then - as a server - we won't do DHE suites.

> This feels like it reveals a weakness in this design :)

Yeah, but we the alternative is much more complicated.  This works well enough.  (And negotiating that cipher suite isn't the end of the world.)
Duplicate of this bug: 1304927
Comment on attachment 8794052 [details]
Bug 1304919 - Update WebRTC to latest NSS,

https://reviewboard.mozilla.org/r/80636/#review79572

LGTM
Attachment #8794052 - Flags: review?(ekr) → review+
Comment on attachment 8794051 [details]
Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite,

https://reviewboard.mozilla.org/r/80634/#review79570

This continues to LGTM
Attachment #8794051 - Flags: review?(ekr) → review+
Pushed by martin.thomson@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d7e412fddbbc
Update Firefox to NSS trunk, r=mt
https://hg.mozilla.org/integration/mozilla-inbound/rev/b54d608edfa8
PSM changes to support TLS 1.3 key exchange, r=mt
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb62ee48735e
Update TLS server tests to expect TLS 1.3 cipher suite, r=ekr
https://hg.mozilla.org/integration/mozilla-inbound/rev/f1aace586e14
Update WebRTC to latest NSS, r=ekr
I think that I understand what is going on, strange that it's only the OSX 10.10 build that burned though.  I updated NSS twice in developing the patch.  The script that updates NSS toggles a useless change in security/nss/coreconf/coreconf.dep, which apparently the build system uses as a trigger to clobber just NSS.  This doesn't cause any problems on try, but apparently we don't do clobber builds on inbound, so it burned up.

More justification to work on bug 1237872.

I've another try build, which I will check in on and land if it looks moderately good.  I've picked up a few more NSS commits in the process, but none that should affect Firefox:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=11b6add1747f
Flags: needinfo?(martin.thomson)
Comment on attachment 8794050 [details]
Bug 1304919 - PSM changes to support TLS 1.3 key exchange,

This is one of three supporting patches for the NSS 3.28 uplift to Beta.
See bug 1305970
Attachment #8794050 - Flags: approval-mozilla-beta?
Comment on attachment 8794051 [details]
Bug 1304919 - Update TLS server tests to expect TLS 1.3 cipher suite,

This is one of three supporting patches for the 3.28 uplift to Beta. See approval in bug 1305970
Attachment #8794051 - Flags: approval-mozilla-beta?
Comment on attachment 8794052 [details]
Bug 1304919 - Update WebRTC to latest NSS,

This is one of three supporting patched for the 3.28 uplift to Beta. See approval in bug 1305970
Attachment #8794052 - Flags: approval-mozilla-beta?
Specifically see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1305970#c47
Flags: needinfo?(lhenry)
Comment on attachment 8794050 [details]
Bug 1304919 - PSM changes to support TLS 1.3 key exchange,

OK to uplift to beta 51.
Flags: needinfo?(lhenry)
Attachment #8794050 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8794051 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8794052 [details]
Bug 1304919 - Update WebRTC to latest NSS,

OK for beta 51.
Attachment #8794052 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Gerry, can you add this  to the release notes, Updated to NSS 3.28.1 - with a link to https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.1_release_notes  ?
I am having some trouble getting into Nucleus right now, so i'm asking you in case I don't get it fixed today. Thanks!
Flags: needinfo?(gchang)
I got the login issue straightened out. Release note added.
Flags: needinfo?(gchang)
You need to log in before you can comment on or make changes to this bug.