We've released NSS 3.28.1, which is a minor patch release on top of NSS 3.28, which includes a bugfix for TLS 1.3, plus the CA certificates changes from december. This update has been planned for Firefox 52. Because Firefox 51 has also been updated to use NSS 3.28, it might be reasonable to take this minor update for Firefox 51, too. (For Firefox 53, this bug can be marked fixed once mozilla-central has been updated to use NSS trunk snapshot e40d83f856f7 or newer.)
Execute these commands inside the aurora or beta tree to uplift NSS 3.28.1
Comment on attachment 8823655 [details] update_nss_to_3.28.1.txt aurora-approval requested by ttaubert and kwilson, as explained in previous comment. beta-approval landed, but it's up to ttaubert to explain, if this should happen or not.
fixed the command to replace the version number in old-configure.in
(In reply to Kai Engert (:kaie) from comment #2) > Comment on attachment 8823655 [details] > update_nss_to_3.28.1.txt > > aurora-approval requested by ttaubert and kwilson, as explained in previous > comment. I think it should be OK for the December batch of root changes to be included in Firefox 51. For anyone who would like to double-check this, the list of root changes is here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.1_release_notes The only removals in this batch of root changes are: 1) CN = Buypass Class 2 CA 1 [Expired Oct 13, 2016, was only enabled for TLS/SSL] SHA-256 Fingerprint: 0F:4E:9C:DD:26:4B:02:55:50:D1:70:80:63:40:21:4F:E9:44:34:C9:B0:2F:69:7E:C7:10:FC:5F:EA:FB:5E:38 2) CN = Root CA Generalitat Valenciana [CA said they finished migration from this old root] SHA-256 Fingerprint: 8C:4E:DF:D0:43:48:F3:22:96:9E:7E:29:A4:CD:4D:CA:00:46:55:06:1C:16:E1:B0:76:42:2E:F3:42:AD:63:0E 3) OU = RSA Security 2048 V3 [CA said they finished migration from this old root] SHA-256 Fingerprint: AF:8B:67:62:A1:E5:28:22:81:61:A9:5D:5C:55:9E:E2:66:27:8F:75:D7:9E:83:01:89:A5:03:50:6A:BD:6B:4C Thanks, Kathleen
Comment on attachment 8823657 [details] update_nss_to_3.28.1.txt Let's uplift this for the beta 12 build today.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Matt, Just to play it safe... Would you please run compat testing on FF 51? Per comment #7 I think this landed.
The canary shows 20 regressions. These are caused by bug 1317857. I'm including a list here, which is more or less the same list as in that bug.
(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #9) > Created attachment 8825481 [details] > Regressed sites from Alexa top 1M > > The canary shows 20 regressions. These are caused by bug 1317857. I'm > including a list here, which is more or less the same list as in that bug. So, those 20 regressions were already in NSS 3.28 and FF 50. Correct? Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1317857#c7 Or do you think any of those regressions are new to NSS 3.28.1?
(In reply to Kathleen Wilson from comment #10) > So, those 20 regressions were already in NSS 3.28 and FF 50. Correct? > Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1317857#c7 These sites do not appear to break in Fx50.0.2, which has NSS 3.26.2. > Or do you think any of those regressions are new to NSS 3.28.1? They were introduced during the development cycle of NSS 3.28, somewhere between 2016-10-06 and 2016-11-10.
OK. I compared https://bug1328600.bmoattachments.org/attachment.cgi?id=8825481 with https://bug1317857.bmoattachments.org/attachment.cgi?id=8811077 And found that there are three "new failures": https://www.mycreditcard.mobi -- TLS cert chains up to 'AddTrust External CA Root' root cert https://kwikeesystems.com -- TLS cert chains up to 'Entrust Root Certification Authority - G2' root cert https://www.schulthess.com -- TLS cert chains up to 'thawte Primary Root CA' root cert So, none of these compat issues are related to the December batch of root changes. Therefore, these compat failures are due to some other change in NSS 3.28 and NSS 3.28.1. In my opinion, someone needs to evaluate Bug #1317857 and the above three additional failures to determine what change is breaking these sites, and what the resolution should be before NSS 3.28 is included in a Firefox release.
FWIW, these three additional sites may have failed before and could have the same root problem as the others. There is a margin of error in what the canary catches due to timing issues and the generally changing nature of the web (latency, load balancers, redirects, etc.).
If this proceeds, these sites would break in Release upon release of 52 in March. Chrome releases about every 6 weeks IIRC, so in theory Chrome will break first. Are we OK with that?
Please note that this is also going into Firefox 51, which releases January 24.
So, I think the evangelism stated in Bug #1317857 needs to happen before Firefox 51 release...
You need to log in before you can comment on or make changes to this bug.