Closed
Bug 1357599
Opened 7 years ago
Closed 7 years ago
Upgrade Firefox 54 to NSS 3.30.2, and upgrade Firefox ESR 52.2 to NSS 3.28.5 (root CA changes, only)
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(2 files)
|
119 bytes,
text/plain
|
gchang
:
approval-mozilla-beta+
KaiE
:
checkin+
|
Details |
|
119 bytes,
text/plain
|
jcristau
:
approval-mozilla-esr52+
|
Details |
I am requesting that we create a NSS 3.30.2 release which includes the March batch of root changes, and uplift it to the beta 54 branch. The code patches for the March batch of root changes are in these 2 bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1350859 (the root inclusions/removals, details below) https://bugzilla.mozilla.org/show_bug.cgi?id=1349705 (constrain the new Kamu SM root cert) = Specific Changes = The following CA certificates were Removed - O = Japanese Government, OU = ApplicationCA (CA has completed migration to their new root) SHA-256 Fingerprint: 2D:47:43:7D:E1:79:51:21:5A:12:F3:C5:8E:51:C7:29:A5:80:26:EF:1F:CC:0A:5F:B3:D9:DC:01:2F:60:0D:19 - CN = WellsSecure Public Root Certificate Authority (all previously issued end entity certificates that chain up to this root have expired or been revoked) SHA-256 Fingerprint: A7:12:72:AE:AA:A3:CF:E8:72:7F:7F:B3:9F:0F:B3:D1:E5:42:6E:90:60:B0:6E:E6:F1:3E:9A:3C:58:33:CD:43 - CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 (This root was specifically for EV, but the CA decided not to issue EV certs) SHA-256 Fingerprint: 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 - CN=Microsec e-Szigno Root (expired) SHA-256 Fingerprint: 32:7A:3D:76:1A:BA:DE:A0:34:EB:99:84:06:27:5C:B1:A4:77:6E:FD:AE:2F:DF:6D:01:68:EA:1C:4F:55:67:D0 The following CA certificates were Added - CN = D-TRUST Root CA 3 2013 SHA-256 Fingerprint: A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 Trust Flags: Email - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 SHA-256 Fingerprint: 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 Trust Flags: Websites Technically constrained to: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, edu.tr, org.tr The version number of the updated root CA list has been set to 2.14 ~~ = Reason = The Government of Turkey (Kamu SM) has a currently-included root certificate that expires August 21, 2017. They have been trying to get their new root certificate included in NSS in time for them to transition all of the impacted websites before their old root expires. I and they had been expecting this batch of root changes to be included in the Firefox release planned for the May/June time frame. But I mis-communicated which Firefox release this change needed to go into. So, even though I had gotten the changes all done and tested before my vacation, it did not go into the Firefox branch that it apparently needed to go into. I apologize for all the extra effort my error causes.
|
Assignee | |
Comment 1•7 years ago
|
||
Backport requested by Kathleen Wilson. Only change are CA-certificates list and constraints.
Attachment #8859541 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → kaie
|
|
Assignee | |
Comment 2•7 years ago
|
||
try build: https://treeherder.mozilla.org/#/jobs?repo=try&revision=aeead4cac251dd0540b9d34ca4e73c5ffbc49392
|
|
Assignee | |
Comment 4•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3) > Should we update 3.28 for ESR52 as well? Kathleen is investigating.
Flags: needinfo?(kaie)
|
|
Assignee | |
Comment 5•7 years ago
|
||
This is ready to be uplifted to the beta branch. All related changes are already being used by mozilla-central.
|
Reporter | |
Comment 6•7 years ago
|
||
(In reply to [Out of Office Until 24-April] Ryan VanderMeulen [:RyanVM] from comment #3) > Should we update 3.28 for ESR52 as well? Yes. (I checked with the Kamu SM CA, and they really do need it in ESR as well, if at all possible.) Thanks!
|
|
Assignee | |
Updated•7 years ago
|
Summary: Upgrade Firefox 54 to NSS 3.30.2 → Upgrade Firefox 54 to NSS 3.30.2 and Firefox 52.2 ESR to NSS 3.28.5
|
|
Assignee | |
Updated•7 years ago
|
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → fixed
status-firefox-esr52:
--- → affected
|
|
Assignee | |
Comment 7•7 years ago
|
||
Backport requested by Kathleen Wilson. Only change are CA-certificates list and constraints.
Attachment #8860372 -
Flags: approval-mozilla-esr52?
|
|
Assignee | |
Updated•7 years ago
|
Summary: Upgrade Firefox 54 to NSS 3.30.2 and Firefox 52.2 ESR to NSS 3.28.5 → Upgrade Firefox 54 to NSS 3.30.2, and upgrade Firefox ESR 52.2 to NSS 3.28.5 (root CA changes, only)
|
|
Assignee | |
Comment 8•7 years ago
|
||
Kathleen, could you please help to lobby for approvals?
Flags: needinfo?(kwilson)
|
||
Comment 9•7 years ago
|
||
Comment on attachment 8859541 [details]
update-nss-3.30.2.txt
Approval Request Comment
[Feature/Bug causing the regression]: N/A
[User impact if declined]:
Turkish government sites will stop working for users when their root expires; the replacement is constrained to only sites under Turkish control.
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]:
Removed Roots have been carefully coordinated with the issuing organizations as part of transitions to new roots and they have assured us that all issued certs from the old roots are expired or revoked.
[String changes made/needed]: None|
|
Reporter | |
Comment 10•7 years ago
|
||
Thanks, Dan and Kai! I sent email to release managers about this too. Not sure what else I'm supposed to do in regards to lobbying for approvals.
Flags: needinfo?(kwilson)
|
||
Comment 11•7 years ago
|
||
Comment on attachment 8859541 [details]
update-nss-3.30.2.txt
This is important for Turkish government. Beta54+. Should be in 54 beta 2.
Attachment #8859541 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 12•7 years ago
|
||
Comment on attachment 8859541 [details] update-nss-3.30.2.txt checked in to beta https://hg.mozilla.org/releases/mozilla-beta/rev/e5e2984f44c5873e8b9b18b98f330acee4fada71
Attachment #8859541 -
Flags: checkin+
|
||
Comment 13•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #9) > [Is this code covered by automated tests?]: No > [Has the fix been verified in Nightly?]: Yes > [Needs manual test from QE? If yes, steps to reproduce]: No Setting qe-verify- based on Daniel's assessment on manual testing needs.
Flags: qe-verify-
|
||
Updated•7 years ago
|
|
||
Comment 14•7 years ago
|
||
Tracking 54/55 and 52+ for this change.
|
||
Updated•7 years ago
|
Priority: -- → P1
Whiteboard: [psm-assigned]
|
|
Assignee | |
Comment 15•7 years ago
|
||
Comment on attachment 8860372 [details]
update-nss-3.28.5.txt
Approval Request Comment
[Feature/Bug causing the regression]: N/A
[User impact if declined]:
Turkish government sites will stop working for users when their root expires; the replacement is constrained to only sites under Turkish control.
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]:
Removed Roots have been carefully coordinated with the issuing organizations as part of transitions to new roots and they have assured us that all issued certs from the old roots are expired or revoked.
[String changes made/needed]: None|
|
Assignee | |
Comment 16•7 years ago
|
||
Is it possible to make the approval decision for ESR 52.2 soon? Early clarity would help. Thanks.
Flags: needinfo?(jcristau)
|
||
Comment 17•7 years ago
|
||
My only reason to not uplift the changes now is that it can be a little confusing if we end up needing to build and release ESR 52.1.1. So far I don't think we will need to do that. I agree we should take this for the 52.2 release. Ritu, are you starting to land patches for 52.2 yet?
Flags: needinfo?(rkothari)
|
|
Assignee | |
Comment 18•7 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #17) > I agree we should take this for the 52.2 release Thanks, this is what was important for me, to know that you'll most likely approve it later during this cycle.
|
|
||
Comment 19•7 years ago
|
||
Comment on attachment 8860372 [details]
update-nss-3.28.5.txt
nss root CA changes for esr52.2Flags: needinfo?(rkothari)
Flags: needinfo?(jcristau)
Attachment #8860372 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
| Comment hidden (obsolete) |
|
|
||
Comment 21•7 years ago
|
||
| backout | ||
I had to back this out from ESR52 for ExtendedValidation.cpp assertions. https://treeherder.mozilla.org/logviewer.html#?job_id=98044599&repo=mozilla-esr52 https://hg.mozilla.org/releases/mozilla-esr52/rev/4fbb945d30dd
Flags: needinfo?(kaie)
Looks like this would require uplifting bug 1335904 to ESR52 (that bug removed EV treatment for the TurkTrust H6 root).
Depends on: 1335904
|
|
||
Comment 23•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/e0e348f79006
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(kaie)
|
||
Updated•4 months ago
|
Blocks: nss-uplift
You need to log in
before you can comment on or make changes to this bug.
Description
•