Closed Bug 1747320 Opened 3 years ago Closed 3 years ago

PSM should use the newly defined CRLite filter coverage metadata

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Platform:
All
Unspecified
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox98 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1747320 - Only query CRLite on covered certificates. r=keeler
48 bytes, text/x-phabricator-request
Details | Review

The cert-revocations collection in remote settings now includes more fine-grained information about which certificates are covered by a CRLite filter. PSM should use this information when deciding whether or not to query a CRLite filter on a particular certificate.

Attachment #9256625 - Attachment description: WIP: Bug 1747320 - Only query CRLite on covered certificates. r=keeler → Bug 1747320 - Only query CRLite on covered certificates. r=keeler
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d4a6f5cb9b3f Only query CRLite on covered certificates. r=keeler

https://hg.mozilla.org/mozilla-central/rev/d4a6f5cb9b3f

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
Regressions: 1750188

Backed out for breaking connectivity with many https sites (bug 1750188)

Backout link: https://hg.mozilla.org/mozilla-central/rev/f00c5f3ac20092dc89512735a759f25a29b42467

Status: RESOLVED → REOPENED
status-firefox98: fixed → ---
Resolution: FIXED → ---
Target Milestone: 98 Branch → ---

Is there someway to update tests such that they do not only pass with new profiles?

Just me but wondering if bad interaction with the change in bug 1748341

Depends on: 1640316
Regressions: 1750115

The TLS connectivity failures were due to a function that returned the wrong return code if CRLite was in a "partially initialized" state.

Fully initializing CRLite involves two requests to Remote Settings. With new profiles, completion of the first request transitioned CRLite to a partially initialized state and broke clients' ability to establish TLS connections. This prevented the second Remote Settings request from being made, so clients were stuck partially initialized. With old profiles, the data on disk was not sufficient to fully initialize CRLite, so they were broken from start up. We have tests to cover the initialization, but those tests simulate Remote Settings by self-serving over HTTP.

This patch has been updated to fix the return code issue. Tests that initialize CRLite with partial/corrupted information have been added under Bug 1640316.

Flags: needinfo?(jschanck)
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f0193ca7b5a Only query CRLite on covered certificates. r=keeler
Regressions: 1751261

https://hg.mozilla.org/mozilla-central/rev/0f0193ca7b5a

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
Blocks: crlite
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: