Ensure the discrete policy enforcement error code is shown when emitted

RESOLVED FIXED in Firefox 60

Status

()

defect
P1
normal
RESOLVED FIXED
2 years ago
Last year

People

(Reporter: jcj, Assigned: jcj)

Tracking

unspecified
mozilla61
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox58 unaffected, firefox59 unaffected, firefox60+ fixed, firefox61 fixed)

Details

()

Attachments

(1 attachment)

Bug 1441223 added MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED to be emitted when we hit certificates affected by the Symantec distrust.

Some sites are still emitting SEC_ERROR_UNKNOWN_ISSUER if they have multiple certificate trust paths possible, but one is unknown. This error really should be fatal -- perhaps like Bug 1437214.

This affects 60, and is confusing for writing documentation (Bug 1444427). If it's a reasonable patch, we might want to uplift this into 60.

[1] https://tlscanary.mozilla.org/runs/2018-03-08-10-41-46/index.htm
Is there a reason why we can't issue an error like ERR_CERT_SYMANTEC_LEGACY? (assuming we adjust the prefix to fit into our error hierarchy)
(In reply to Selena Deckelmann :selenamarie :selena use ni? pronoun: she from comment #1)
> Is there a reason why we can't issue an error like ERR_CERT_SYMANTEC_LEGACY?
> (assuming we adjust the prefix to fit into our error hierarchy)

Only that we wanted to be able to re-use this error for future distrust-by-policy events, since adding errors is more work than it really should be. If we had the special error page from Bug 1441959, it might be more clear.
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Comment on attachment 8959029 [details]
Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler

David Keeler [:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D734
Attachment #8959029 - Flags: review+
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/98125ba99b69
Ensure the correct error is emitted for policy distrusts r=keeler
https://hg.mozilla.org/mozilla-central/rev/98125ba99b69
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Looks like this bug won a perf improvement, though I don't see any clear connections.
Please state whether it makes sense or not, as Strings * tests are very sensitive and noisy.

== Change summary for alert #12298 (as of Tue, 20 Mar 2018 15:11:49 GMT) ==

Improvements:

 13%  Strings PerfStripCharsWhitespace osx-10-10 opt      342,711.17 -> 298,132.50

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=12298
This would not have contributed to a performance improvement for string processing code (unless it's something esoteric and hand-wavey like "cache alignment").
Comment on attachment 8959029 [details]
Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1441223
[User impact if declined]: Sometimes the Symantec policy error will be "unknown issuer" incorrectly, which may be confusing to the users.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes, since Wednesday 21 March.
[Needs manual test from QE? If yes, steps to reproduce]:  No, and it's being exercised by the TLS Canary (tlscanary.mozilla.org)
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Medium-low risk
[Why is the change risky/not risky?]: It's a small patch, in code well covered by tests, but that code is our cert verification code. There cannot exist a low-risk change to that code, as it's security critical. Still, we've high confidence in the algorithm changes, and it's got tests.
[String changes made/needed]: No changes needed.
Attachment #8959029 - Flags: approval-mozilla-beta?
Comment on attachment 8959029 [details]
Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler

better error for the symantec distrust in some cases, beta60+
Attachment #8959029 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.