Closed Bug 1484889 Opened 7 years ago Closed 7 years ago

TLS Canary run: test removal of Certplus Class 2 Primary CA

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: cr)

References

Details

Please run a TLS Canary regression on a Firefox build that has the Certplus Class 2 Primary CA root removed and provide the resulting list of affected sites out of the top 1M. Fingerprint: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB Subject: CN=Class 2 Primary CA; OU=; O=Certplus; C=FR
CR: can your team help with this?
Flags: needinfo?(cr)
Yes, gladly. I'm aiming to deliver the results within a week.
Flags: needinfo?(cr)
Assignee: nobody → cr
I only have preliminary results for you at this time because there's yet another XPCShell regression in nightly (they're frequently popping functionality) that prevents tlscanary from acquiring the full certificate chain. There are 94 regressions in total, all but two coming from Keynectis-issued certs (which I assume are rooted in Certplus). The other two look like false-positives to me: 715828,payment.eagleeyes.tw,2153398259,MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,Symantec Class 3 Secure Server CA - G4 819885,www.fisherinvestments.eu,2153390069,SEC_ERROR_EXPIRED_CERTIFICATE,Let's Encrypt Authority X3 Here's the full list: 143391,wslb2.soroush-hamrah.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 162901,edf.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 218420,cdn-files.prsmedia.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 257743,ds.e-i.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 278494,cdn-ext.prsmedia.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 269380,particuliers.secure.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 285200,www.ratp.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 290489,nrjmobile.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 301931,www.leprogres.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 301930,www.ledauphine.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 311296,www.nrjmobile.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 342713,ants.gouv.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 348089,www.edf.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 363279,cdn-s-www.ledauphine.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 356446,clickstream2.digikala.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 356216,ww3.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 378458,estrepublicain.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 381381,assets.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 378701,myket.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 379978,static.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 373429,dna.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 381574,espace-client.sfr.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 381671,img-fdb.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 390490,tagcommand.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 395850,pushcss.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 398387,ws.crm.secure.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 396321,advertising.digikala.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 408532,apps.sfr.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 413531,www.credit-agricole.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 407483,fw-stats.tech.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 408479,adapi.digikala.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 403869,ibudget.iphone.credit-agricole.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 434842,www.dna.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 422624,republicain-lorrain.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 425776,ws-messages.secure.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 450118,bmi.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 436807,barre-de-confiance.cm-cic.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 453626,assistance.sfr.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 462825,cdn-s-www.leprogres.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 463427,marketing.digikala.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 452386,lalsace.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 460891,bienpublic.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 494384,mobile.creditmutuel.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 502921,edf.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 527084,www.estrepublicain.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 544054,www.ter.sncf.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 565507,www.lalsace.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 556072,www.republicain-lorrain.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 586764,cdn-s-www.dna.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 574850,sherlocks.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 597809,cdn-s-www.bienpublic.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 604160,um.ac.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 613752,cdn-s-www.estrepublicain.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 609424,bpm.shaparak.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 614199,enedis.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 634878,ansarbank.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 638430,ws.mobile.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 636816,mobile.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 628866,sep.shaparak.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 656868,www.ca-paris.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 648785,cdn-s-www.lalsace.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 656849,www.bienpublic.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 648786,cdn-s-www.republicain-lorrain.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 645853,mobile.particuliers.secure.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 652836,accessoires.sfr.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 671820,ws.publi.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 675184,mobile.cic.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 663684,espace-client.edf.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 663245,club-video.sfr.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 680888,particuliers.lcl.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 686271,piwik.ign.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 701517,files.prsmedia.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 715828,payment.eagleeyes.tw,2153398259,MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,Symantec Class 3 Secure Server CA - G4 700968,credit-agricole.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 713023,chmail.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 724532,www.credit-agricole.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 724209,vosgesmatin.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 742099,my.bmi.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 740830,hamrahcard.ba24.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 768905,immatriculation.ants.gouv.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 788114,www.paris-g4-enligne.credit-agricole.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 773050,www.lejsl.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 786588,sofinco.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 803166,www.ca-centreloire.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 826910,sesoot.seppay.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 819885,www.fisherinvestments.eu,2153390069,SEC_ERROR_EXPIRED_CERTIFICATE,Let's Encrypt Authority X3 825710,odr.sfr.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 830591,bforbank.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA 844215,permisdeconduire.ants.gouv.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 836362,stage.crystalcruises.com,2153390068,SEC_ERROR_REVOKED_CERTIFICATE,None 854558,s-www.ledauphine.com,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 853814,play.sfr.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 869094,cdn2.myket.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 888715,apiserver236.myket.ir,2153390067,SEC_ERROR_UNKNOWN_ISSUER,CLASS 2 KEYNECTIS CA 908169,www.ca-languedoc.fr,2153390067,SEC_ERROR_UNKNOWN_ISSUER,KEYNECTIS Extended Validation CA
Wayne, let me know whether you need the full certificates or any other work done around this. Else I'd close the bug.
Status: NEW → ASSIGNED
Flags: needinfo?(wthayer)
This is what I needed. Thanks!
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.