Bug 1441223 added MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED to be emitted when we hit certificates affected by the Symantec distrust. Some sites are still emitting SEC_ERROR_UNKNOWN_ISSUER if they have multiple certificate trust paths possible, but one is unknown. This error really should be fatal -- perhaps like Bug 1437214. This affects 60, and is confusing for writing documentation (Bug 1444427). If it's a reasonable patch, we might want to uplift this into 60.  https://tlscanary.mozilla.org/runs/2018-03-08-10-41-46/index.htm
Is there a reason why we can't issue an error like ERR_CERT_SYMANTEC_LEGACY? (assuming we adjust the prefix to fit into our error hierarchy)
(In reply to Selena Deckelmann :selenamarie :selena use ni? pronoun: she from comment #1) > Is there a reason why we can't issue an error like ERR_CERT_SYMANTEC_LEGACY? > (assuming we adjust the prefix to fit into our error hierarchy) Only that we wanted to be able to re-use this error for future distrust-by-policy events, since adding errors is more work than it really should be. If we had the special error page from Bug 1441959, it might be more clear.
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Comment on attachment 8959029 [details] Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler David Keeler [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D734
Attachment #8959029 - Flags: review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/98125ba99b69 Ensure the correct error is emitted for policy distrusts r=keeler
Looks like this bug won a perf improvement, though I don't see any clear connections. Please state whether it makes sense or not, as Strings * tests are very sensitive and noisy. == Change summary for alert #12298 (as of Tue, 20 Mar 2018 15:11:49 GMT) == Improvements: 13% Strings PerfStripCharsWhitespace osx-10-10 opt 342,711.17 -> 298,132.50 For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=12298
This would not have contributed to a performance improvement for string processing code (unless it's something esoteric and hand-wavey like "cache alignment").
Comment on attachment 8959029 [details] Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler Approval Request Comment [Feature/Bug causing the regression]: Bug 1441223 [User impact if declined]: Sometimes the Symantec policy error will be "unknown issuer" incorrectly, which may be confusing to the users. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes, since Wednesday 21 March. [Needs manual test from QE? If yes, steps to reproduce]: No, and it's being exercised by the TLS Canary (tlscanary.mozilla.org) [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: Medium-low risk [Why is the change risky/not risky?]: It's a small patch, in code well covered by tests, but that code is our cert verification code. There cannot exist a low-risk change to that code, as it's security critical. Still, we've high confidence in the algorithm changes, and it's got tests. [String changes made/needed]: No changes needed.
Attachment #8959029 - Flags: approval-mozilla-beta?
Comment on attachment 8959029 [details] Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler better error for the symantec distrust in some cases, beta60+
Attachment #8959029 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.