Closed Bug 1343305 Opened 8 years ago Closed 8 years ago

CCADB entries generated 2017-02-28

Categories

(Core :: Security Block-lists, Allow-lists, and other State, defect)

Product:
Core
Component:
Security Block-lists, Allow-lists, and other State
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mgoodwin, Unassigned)

References

Details

Attachments

(2 files)

bug_data.txt
3.99 KB, text/plain
kathleen.a.wilson
: review+
Details
revocations_combined.txt
21.80 KB, text/plain
Details
Attached file bug_data.txt
Please add the following blocklist entries following approval from Kathleen and Matt.
Attachment #8842097 - Flags: review?(kwilson)
Combined revocations.txt for TLS canary run
Attachment #8842099 - Flags: review?(mwobensmith)
Comment on attachment 8842097 [details] bug_data.txt I confirm that these are the correct entries to add to OneCRL. Thanks!
Attachment #8842097 - Flags: review?(kwilson) → review+
Comment on attachment 8842099 [details] revocations_combined.txt Canary pass says no regressions on top sites, marking r+.
Attachment #8842099 - Flags: review?(mwobensmith) → review+
ni? me again when this goes to stage so that I can verify it from there, if possible. Thank you.
Any update on adding these entries to OneCRL?
Not sure who's on point for staging these blocks.
Flags: needinfo?(mgoodwin)
Depends on: 1359479
Depends on: 1359816
No longer depends on: 1359816
An update on these changes; these are currently staged on the production kinto instance awaiting approval. In answer to Jorge's question; we (crypto eng) are now on point for staging (and adding) these blocks. This was not the case when the bug was initially filed.
Flags: needinfo?(mgoodwin)
Approved at production kinto at Tuesday, 2 May 2017, 20:25:20 UTC
Is anyone seeing these additions to OneCRL?
I see most of the new entries when I use my old Firefox profile. I can't find the first entry: issuer: MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMg== serial: UdNjvA== But so far I have found the rest. The thing that I'm really puzzled about is that I created a new Firefox profile, and the revocations.txt file did not get created.
Here's the list of the new entries that I am not seeing in my version of revocations.txt. issuer: MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMg== serial: UdNjvA== issuer: MFcxCzAJBgNVBAYTAlRXMQ4wDAYDVQQKEwVUYWlDQTESMBAGA1UECxMJUG9saWN5IENBMSQwIgYDVQQDExtUYWlDQSBJbmZvcm1hdGlvbiBQb2xpY3kgQ0E= serial: UbQGvw== issuer: MFoxCzAJBgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3Q= serial: Bydvrw== issuer: MFoxCzAJBgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3Q= serial: ByfDtA== issuer: MFoxCzAJBgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3Q= serial: Byemag== issuer: MFoxCzAJBgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3Q= serial: ByemaQ== issuer: MIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp serial: OGPFrg== issuer: MDMxCzAJBgNVBAYTAlBUMQ0wCwYDVQQKDARTQ0VFMRUwEwYDVQQDDAxFQ1JhaXpFc3RhZG8= serial: cx0HrIEQg8JHWTP7DzOxSQ== issuer: MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jvb3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ== serial: QAEy3RIAAAAAAAAMweH5dw== issuer: MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlvbjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E= serial: R/j2qA==
(In reply to Kathleen Wilson from comment #12) We actually have two issues here: Some of the entries have acquired a trailing = in the revocations.txt data. Looking into both of these issues now.
This OneCRL update broke crt.sh's parsing (hence why https://crt.sh/mozilla-onecrl hasn't been updating itself). This breakage was due to missing padding ('=' characters) at the end of some base64 serial numbers. Postgres's decode(<base64_data>, 'base64') function throws an exception if the base64 data isn't padded correctly. I've just implemented a workaround, so https://crt.sh/mozilla-onecrl now shows the new OneCRL additions. Also, the new entries don't specify a "created" timestamp. Was that intentional?
Flags: needinfo?(mgoodwin)
(In reply to Rob Stradling from comment #14) > This OneCRL update broke crt.sh's parsing (hence why > https://crt.sh/mozilla-onecrl hasn't been updating itself). This breakage > was due to missing padding ('=' characters) at the end of some base64 serial > numbers. Postgres's decode(<base64_data>, 'base64') function throws an > exception if the base64 data isn't padded correctly. > I've just implemented a workaround, so https://crt.sh/mozilla-onecrl now > shows the new OneCRL additions. The truncation of padding was a problem for other reasons. I've fixed this now. > Also, the new entries don't specify a "created" timestamp. Was that > intentional? No. I've also resolved this issue. The updated data should start appearing on the CDN soon.
Flags: needinfo?(mgoodwin)
Thanks Mark.
Kathleen, I've verified that the data in my firefox profile matches the production data. jcj, in turn, has verified that the production data matches the data attached to this bug. Would you (or Matt) like to verify and close this out? Let me know if you'd like help with this.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kwilson)
Thanks! I'm still waiting for revocations.txt to get updated on my system. I will verify the contents when the update shows up for me (through the normal process for end-users).
Flags: needinfo?(kwilson)
revocations.txt got updated on my system, and I confirm that these new entries are there. Thanks!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
These entries are live, so no point in reviewing now.
Flags: needinfo?(mwobensmith)
Blocks: onecrl-meta
Summary: New certificate blocklist entries W/C 20170227 → CCADB entries generated 2017-02-28

Moving bug to Core::Security Block-lists, Allow-lists, and other State.

Component: Blocklist Policy Requests → Security Block-lists, Allow-lists, and other State
Product: Toolkit → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: