Closed Bug 1484351 Opened 6 years ago Closed 6 years ago

CCADB entries generated 2018-08-17T22:24:14Z

Categories

(Core :: Security Block-lists, Allow-lists, and other State, defect)

Product:
Core
Component:
Security Block-lists, Allow-lists, and other State
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: omphalos, Assigned: cr)

References

Details

Attachments

(2 files)

Intermediates to be revoked
8.46 KB, text/plain
cr
: review+
kathleen.a.wilson
: review+
Details
existing and new revocations in the form of a revocations.txt file
41.68 KB, text/plain
cr
: review+
kathleen.a.wilson
: review+
Details 
      No description provided.
Revocations data for new records
Attachment #9002109 - Flags: review?(kwilson)
Attachment #9002109 - Flags: review?(cr)
Revocations data for new and existing records
Attachment #9002110 - Flags: review?(kwilson)
Attachment #9002110 - Flags: review?(cr)
(3, 61F263F68DC83C12, AC Firmaprofesional - CFEA) no match found in CRL: 

(5, 1EF001DC1C2163C8, AC Firmaprofesional - OTC) no match found in CRL:
(In reply to omphalos from comment #3)
> (3, 61F263F68DC83C12, AC Firmaprofesional - CFEA) no match found in CRL: 
> 
> (5, 1EF001DC1C2163C8, AC Firmaprofesional - OTC) no match found in CRL:

Not Revoked, but these two certs are not intended for TLS, so CA asked to add to OneCRL via Bug #1465531.
Comment on attachment 9002109 [details]
Intermediates to be revoked

I confirm that these are the correct entries to add to OneCRL.
Attachment #9002109 - Flags: review?(kwilson) → review+
Comment on attachment 9002110 [details]
existing and new revocations in the form of a revocations.txt file

I confirm that this revocations.txt file has the new entries, and is ready for compatibility testing.

Thanks!
Attachment #9002110 - Flags: review?(kwilson) → review+
Downloading intermediates to be revoked from bug # 1484351

Results:
Pending Kinto Dataset (Found): 790
Added Entries (Expected): 38
[GOOD] Expected But Not Pending (Not Found): 0
Deleted: 0
[GOOD] Entries In Production But Lost Without Being Deleted (Missing): 0

[GOOD] The Expected file matches the change between the staged Kinto and production.
[GOOD] The Kinto dataset found at production equals the union of the expected file and the live list.
Nothing not found.
Nothing deleted.
Assignee: nobody → cr
I ran a regression on test on nightly against The Umbrella Top 1M over the weekend, and there are two regressions:

"host": "betplay.com.co", 
  "rank": 460890, 
  "short_error_message": "SEC_ERROR_UNKNOWN_ISSUER", 
  "ssl_status":
    "issuerCommonName": "COMODO RSA Domain Validation Secure Server CA", 
    "issuerName": "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB", 
    "sha1Fingerprint": "EB:87:BE:3D:1E:B0:BE:CE:CA:12:DB:76:FA:E4:93:CE:E4:45:FE:09", 
    "sha256Fingerprint": "04:31:02:6C:EA:C3:EC:B6:0E:AF:1A:B0:0F:F9:8E:99:2B:13:F9:F9:CA:F2:90:6D:69:8F:A0:32:25:D0:FA:93", 
    "status": 2153390067, 

"host": "stage.crystalcruises.com", 
   "rank": 836362, 
   "short_error_message": "SEC_ERROR_REVOKED_CERTIFICATE", 
   "status": 2153390068, 


Expected?
Attachment #9002109 - Flags: review?(cr) → review+
Attachment #9002110 - Flags: review?(cr) → review+
(In reply to Christiane Ruetten [:cr] from comment #8)
> I ran a regression on test on nightly against The Umbrella Top 1M over the
> weekend

Thanks!


> and there are two regressions:
> 
> "host": "betplay.com.co", 
>   "rank": 460890, 
>   "short_error_message": "SEC_ERROR_UNKNOWN_ISSUER", 
>   "ssl_status":
>     "issuerCommonName": "COMODO RSA Domain Validation Secure Server CA", 
>     "issuerName": "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO
> CA Limited,L=Salford,ST=Greater Manchester,C=GB", 
>     "sha1Fingerprint":
> "EB:87:BE:3D:1E:B0:BE:CE:CA:12:DB:76:FA:E4:93:CE:E4:45:FE:09", 
>     "sha256Fingerprint":
> "04:31:02:6C:EA:C3:EC:B6:0E:AF:1A:B0:0F:F9:8E:99:2B:13:F9:F9:CA:F2:90:6D:69:
> 8F:A0:32:25:D0:FA:93", 
>     "status": 2153390067, 

False alarm -- maybe their were updating there webserver SSL cert last weekend.

> 
> "host": "stage.crystalcruises.com", 
>    "rank": 836362, 
>    "short_error_message": "SEC_ERROR_REVOKED_CERTIFICATE", 
>    "status": 2153390068, 

Same error on release, so not caused by these changes to OneCRL.


So, looks like these changes to OneCRL are ready to go.

Thanks!
Approved at Kinto, change is rolling out.
I have verified that the changes showed up in revocations.txt for a new Firefox profile, and all looks correct.

I still have not received the updated revocations.txt for my existing Firefox profile.
(In reply to Kathleen Wilson from comment #11)
> I still have not received the updated revocations.txt for my existing
> Firefox profile.

Received and verified.

Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Blocks: 1465531

Moving bug to Core::Security Block-lists, Allow-lists, and other State.

Component: Blocklist Policy Requests → Security Block-lists, Allow-lists, and other State
Product: Toolkit → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: