1328600 - Uplift NSS 3.28.1 to Firefox 52 and probably Firefox 51, too

Status: VERIFIED FIXED

(Core :: Security: PSM, defect)

Description

[Kai Engert (:KaiE:)]

We've released NSS 3.28.1, which is a minor patch release on top of NSS 3.28, which includes a bugfix for TLS 1.3, plus the CA certificates changes from december.

This update has been planned for Firefox 52.

Because Firefox 51 has also been updated to use NSS 3.28, it might be reasonable to take this minor update for Firefox 51, too.

(For Firefox 53, this bug can be marked fixed once mozilla-central has been updated to use NSS trunk snapshot e40d83f856f7 or newer.)

Comment 1

[Kai Engert (:KaiE:)]

Attachment: update_nss_to_3.28.1.txt

Execute these commands inside the aurora or beta tree to uplift NSS 3.28.1

Comment 2

[Kai Engert (:KaiE:)]

Comment on attachment 8823655 [details]
update_nss_to_3.28.1.txt

aurora-approval requested by ttaubert and kwilson, as explained in previous comment.

beta-approval landed, but it's up to ttaubert to explain, if this should happen or not.

Comment 3

[Kai Engert (:KaiE:)]

Attachment: update_nss_to_3.28.1.txt

fixed the command to replace the version number in old-configure.in

Comment 4

[Kathleen Wilson]

(In reply to Kai Engert (:kaie) from comment #2)
> Comment on attachment 8823655 [details]
> update_nss_to_3.28.1.txt
> 
> aurora-approval requested by ttaubert and kwilson, as explained in previous
> comment.

I think it should be OK for the December batch of root changes to be included in Firefox 51. 

For anyone who would like to double-check this, the list of root changes is here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.1_release_notes
The only removals in this batch of root changes are:
1) CN = Buypass Class 2 CA 1 [Expired Oct 13, 2016, was only enabled for TLS/SSL]
        SHA-256 Fingerprint: 0F:4E:9C:DD:26:4B:02:55:50:D1:70:80:63:40:21:4F:E9:44:34:C9:B0:2F:69:7E:C7:10:FC:5F:EA:FB:5E:38
2) CN = Root CA Generalitat Valenciana [CA said they finished migration from this old root]
        SHA-256 Fingerprint: 8C:4E:DF:D0:43:48:F3:22:96:9E:7E:29:A4:CD:4D:CA:00:46:55:06:1C:16:E1:B0:76:42:2E:F3:42:AD:63:0E
3) OU = RSA Security 2048 V3 [CA said they finished migration from this old root]
        SHA-256 Fingerprint: AF:8B:67:62:A1:E5:28:22:81:61:A9:5D:5C:55:9E:E2:66:27:8F:75:D7:9E:83:01:89:A5:03:50:6A:BD:6B:4C

Thanks,
Kathleen

Comment 5

[Liz Henry (:lizzard) (relman/hg->git project)]

Comment on attachment 8823657 [details]
update_nss_to_3.28.1.txt

Let's uplift this for the beta 12 build today.

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-beta/rev/ad4c4ae929a2

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/dbbbc4ab2f1b

Comment 8

[Kathleen Wilson]

Matt, Just to play it safe... Would you please run compat testing on FF 51? 
Per comment #7  I think this landed.

Comment 9

[Matt Wobensmith [:mwobensmith][:matt:]]

Attachment: Regressed sites from Alexa top 1M

The canary shows 20 regressions. These are caused by bug 1317857. I'm including a list here, which is more or less the same list as in that bug.

Comment 10

[Kathleen Wilson]

(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #9)
> Created attachment 8825481 [details]
> Regressed sites from Alexa top 1M
> 
> The canary shows 20 regressions. These are caused by bug 1317857. I'm
> including a list here, which is more or less the same list as in that bug.

So, those 20 regressions were already in NSS 3.28 and FF 50. Correct?
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1317857#c7

Or do you think any of those regressions are new to NSS 3.28.1?

Comment 11

[Matt Wobensmith [:mwobensmith][:matt:]]

(In reply to Kathleen Wilson from comment #10)

> So, those 20 regressions were already in NSS 3.28 and FF 50. Correct?
> Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1317857#c7

These sites do not appear to break in Fx50.0.2, which has NSS 3.26.2. 

> Or do you think any of those regressions are new to NSS 3.28.1?

They were introduced during the development cycle of NSS 3.28, somewhere between 2016-10-06 and 2016-11-10.

Comment 12

[Kathleen Wilson]

OK.

I compared
https://bug1328600.bmoattachments.org/attachment.cgi?id=8825481
with
https://bug1317857.bmoattachments.org/attachment.cgi?id=8811077

And found that there are three "new failures":
https://www.mycreditcard.mobi -- TLS cert chains up to 'AddTrust External CA Root' root cert
https://kwikeesystems.com -- TLS cert chains up to 'Entrust Root Certification Authority - G2' root cert
https://www.schulthess.com -- TLS cert chains up to 'thawte Primary Root CA' root cert
So, none of these compat issues are related to the December batch of root changes.

Therefore, these compat failures are due to some other change in NSS 3.28 and NSS 3.28.1.

In my opinion, someone needs to evaluate Bug #1317857 and the above three additional failures to determine what change is breaking these sites, and what the resolution should be before NSS 3.28 is included in a Firefox release.

Comment 13

[Matt Wobensmith [:mwobensmith][:matt:]]

FWIW, these three additional sites may have failed before and could have the same root problem as the others. There is a margin of error in what the canary catches due to timing issues and the generally changing nature of the web (latency, load balancers, redirects, etc.).

Comment 14

[J.C. Jones [:jcj] (he/him)]

If this proceeds, these sites would break in Release upon release of 52 in March. Chrome releases about every 6 weeks IIRC, so in theory Chrome will break first. Are we OK with that?

Comment 15

[Kathleen Wilson]

Please note that this is also going into Firefox 51, which releases January 24.

Comment 16

[Kathleen Wilson]

So, I think the evangelism stated in Bug #1317857 needs to happen before Firefox 51 release...