Closed Bug 1676303 Opened 5 years ago Closed 5 years ago

Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox86 --- fixed

People

(Reporter: kathleen.a.wilson, Assigned: mbirghan)

References

Details

(Whiteboard: Removed from NSS 3.60, FF 85)

Attachments

(1 file)

Bug 1676303 - Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc
47 bytes, text/x-phabricator-request
Details | Review

After the following root certificates are removed from NSS via Bug #1670769, please also remove them from TrustOverride-SymantecData.inc

GeoTrust Global CA
https://crt.sh/?id=17
Serial number: 023456
SHA2 thumbprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 1/1/2020

GeoTrust Primary Certification Authority
https://crt.sh/?id=4350
Serial number: 18ACB56AFD69B6153A636CAFDAFAC4A1
SHA2 thumbprint: 37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 1.3.6.1.4.1.14370.1.6
Distrust for TLS After Date: 4/30/2019

GeoTrust Primary Certification Authority - G3
https://crt.sh/?id=847444
Serial number: 15AC6E9419B2794B41F627A9C3180F1F
SHA2 thumbprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 1.3.6.1.4.1.14370.1.6
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA
https://crt.sh/?id=30
Serial number: 344ED55720D5EDEC49F42FCE37DB2B6D
SHA2 thumbprint: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.48.1
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA - G3
https://crt.sh/?id=254193
Serial number: 600197B746A7EAB4B49AD64B2FF790FB
SHA2 thumbprint: 4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.48.1
Distrust for TLS After Date: 4/30/2019

VeriSign Class 3 Public Primary Certification Authority - G4
https://crt.sh/?id=2771491
Serial number: 2F80FE238C0E220F486712289187ACB3
SHA2 thumbprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.23.6
Distrust for TLS After Date: 1/31/2019

VeriSign Class 3 Public Primary Certification Authority - G5
https://crt.sh/?id=93
Serial number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA2 thumbprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.23.6
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA - G2
https://crt.sh/?id=3382830
Serial number: 35FC265CD9844FC93D263D579BAED756
SHA2 thumbprint: A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 9/30/2018

GeoTrust Universal CA
https://crt.sh/?id=4174851
Serial number: 01
SHA2 thumbprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 9/30/2018

GeoTrust Universal CA 2
https://crt.sh/?id=4175126
Serial number: 01
SHA2 thumbprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 1/1/2020

Assignee: nobody → mbirghan
Status: NEW → ASSIGNED
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2ac5258d1da1 Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc r=keeler
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: Removed from NSS 3.60, FF 85
Pushed by ccoroiu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b1c01a78a999 Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc r=keeler

Backed out for causing perma failures in test_sanctions_symantec_apple_google.js

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&selectedTaskRun=agEpFzFqR42-7kjF4G1q7A.0&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception%2Crunning%2Cpending%2Crunnable&searchStr=android%2C7.0%2Cx86-64%2Copt%2Cxpcshell%2Ctests%2Ctest-android-em-7.0-x86_64%2Fopt-geckoview-xpcshell-e10s%2Cx2&revision=b1c01a78a999d2957793ed0a78ac32218704e8db

Backout link: https://hg.mozilla.org/integration/autoland/rev/62b698bc1c34b4cf8970785c5b36dcfd6ad9ad52

Failure log: https://treeherder.mozilla.org/logviewer?job_id=324740015&repo=autoland&lineNumber=2106

"INFO - TEST-START | security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
[task 2020-12-16T19:46:20.949Z] 19:46:20 WARNING - TEST-UNEXPECTED-FAIL | security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | xpcshell return code: 0
[task 2020-12-16T19:46:20.949Z] 19:46:20 INFO - TEST-INFO took 599ms
[task 2020-12-16T19:46:20.950Z] 19:46:20 INFO - >>>>>>>
[task 2020-12-16T19:46:20.950Z] 19:46:20 INFO - security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | xpcw: cd /data/local/tmp/test_root/xpc/security/manager/ssl/tests/unit
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | xpcw: xpcshell --greomni /data/local/tmp/test_root/xpcb/geckoview-androidTest.apk -m -e const _HEAD_JS_PATH = "/data/local/tmp/test_root/xpc/head.js"; -e const _MOZINFO_JS_PATH = "/data/local/tmp/test_root/xpc/p/mozinfo.json"; -e const _PREFS_FILE = "/data/local/tmp/test_root/xpc/user.js"; -e const _TESTING_MODULES_DIR = "/data/local/tmp/test_root/xpc/m"; -f /data/local/tmp/test_root/xpc/head.js -e const _HEAD_FILES = ["/data/local/tmp/test_root/xpc/security/manager/ssl/tests/unit/head_psm.js"]; -e const _JSDEBUGGER_PORT = 0; -e const _TEST_FILE = ["test_sanctions_symantec_apple_google.js"]; -e const _TEST_NAME = "security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js"; -e _execute_test(); quit(0);
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - (xpcshell/head.js) | test run_next_test 0 pending (2)
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - (xpcshell/head.js) | test MAIN run_test finished (2)
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - running event loop
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | Starting
[task 2020-12-16T19:46:20.951Z] 19:46:20 INFO - (xpcshell/head.js) | test pending (2)
[task 2020-12-16T19:46:20.952Z] 19:46:20 INFO - TEST-PASS | security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | - Binary util SanctionsTestServer should exist - true == true
[task 2020-12-16T19:46:20.952Z] 19:46:20 INFO - TEST-PASS | security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | - certificate folder (test_sanctions) should exist - true == true
[task 2020-12-16T19:46:20.952Z] 19:46:20 INFO - (xpcshell/head.js) | test run_next_test 0 finished (2)
[task 2020-12-16T19:46:20.952Z] 19:46:20 INFO - security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js | sending 'GET / HTTP/1.0"

I think this bug needs to be reopened since the change was backed out.

Flags: needinfo?(kwilson)
Status: RESOLVED → REOPENED
Flags: needinfo?(kwilson) → needinfo?(dkeeler)
Resolution: FIXED → ---

Moritz, can you have a look?

Flags: needinfo?(dkeeler)

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mbirghan, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mbirghan)
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b20ebe6c1d7d Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc r=keeler
Flags: needinfo?(mbirghan)

https://hg.mozilla.org/mozilla-central/rev/b20ebe6c1d7d

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox86: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: