Closed Bug 1388155 Opened 4 years ago Closed 4 years ago

Make sure HPKP preload expiration date is accurate for 56

Categories

(Core :: Security: PSM, defect, P2)

56 Branch
defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox56 blocking fixed
firefox57 --- unaffected

People

(Reporter: RyanVM, Assigned: jcristau)

References

Details

(Whiteboard: [psm-blocked] )

Attachments

(1 file)

[Tracking Requested - why for this release]:

+++ This bug was initially created as a clone of Bug #1365791 +++

Confirm and patch security/manager/ssl/StaticHPKPins.h and security/manager/ssl/nsSTSPreloadList.inc in 56 to have sufficient lifetime on the preloaded HPKP and STS pins. Right now, they're set to expire on or around 2017-10-30, which isn't going to be long enough given that Fx57 is due for release on 2017-11-14 (and that's when we've got Fx55 set to expire).

As we found out the hard way during the last cycle, we *do* need to wait a bit before landing the bump, however, since there are sanity check tests that'll fail if the expiration date is too far in the future.
Version: 55 Branch → 56 Branch
We can probably move forward with this now.
Flags: needinfo?(dkeeler)
Attached patch hpkp-56.patchSplinter Review
Assignee: nobody → jcristau
Status: NEW → ASSIGNED
Attachment #8904193 - Flags: review?(dkeeler)
Comment on attachment 8904193 [details] [diff] [review]
hpkp-56.patch

Review of attachment 8904193 [details] [diff] [review]:
-----------------------------------------------------------------

Great - thanks!
(note that comment 0 is a bit misleading since it's from the "do this for 55" bug - if https://wiki.mozilla.org/RapidRelease/Calendar is correct, we want the date to be ~16 January 2018, which is what this patch does)
Attachment #8904193 - Flags: review?(dkeeler) → review+
Whiteboard: [psm-blocked] → [psm-blocked] [checkin-needed-beta]
Comment on attachment 8904193 [details] [diff] [review]
hpkp-56.patch

Approval Request Comment
[Feature/Bug causing the regression]: n/a
[User impact if declined]: builtin https pins will expire on October 30, while 56 is still the current release
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: n/a
[Needs manual test from QE? If yes, steps to reproduce]: n/a
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: just bumping two expiration dates from October 30, 2017 to January 16, 2018
[String changes made/needed]: none
Attachment #8904193 - Flags: approval-mozilla-beta?
Cutting it fine with the 19 weeks, though.

$ date -d 'now + 19 weeks'
Tue Jan 16 17:29:44 CET 2018
Whiteboard: [psm-blocked] [checkin-needed-beta] → [psm-blocked]
Comment on attachment 8904193 [details] [diff] [review]
hpkp-56.patch

Re-set for HPKP expiration for 56, please uplift to beta.
Attachment #8904193 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/releases/mozilla-beta/rev/4a3debc85f08
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Blocks: 1397441
You need to log in before you can comment on or make changes to this bug.