Closed Bug 481968 Opened 11 years ago Closed 11 years ago
.9 .1 to pick up NSS 3 .12 .3 or newer
Update mozilla-1.9.1 to pick up NSS 3.12.3 or newer This is currently blocked by bug 474606.
(In reply to comment #1) > And, as I understand it, this blocks bug 466745, yes? While bug 466745 is fixed in NSS, landing this updated snapshot is necessary for the fix to arrive in the application.
Beta 4 code freeze is currently scheduled for April 7 (tomorrow) - is this likely to make that cutoff?
Even a release-candidate or beta tag might be good -- if you guys are done enough to be seriously testing that's probably OK for our beta if there won't be much change (personal guess, I'm not making those decisions for FF3.5). It'd be better to get most of the 3.12.3 changes tested in our beta than to get none and not be able to take 3.12.3 at all in our final for lack of client beta testing.
Today, the NSS team will tag our release candidate for NSS 3.12.3 RTM. This new version contains fixes for numerous bugs and vulnerabilities, and also is the code base that will begin FIPS validation in two weeks. (We will probably have one more release version after 3.12.3, explicitly to be the "FIPS" version). I believe mozilla should pick up 3.12.3 for FF 3.5 ASAP, in time for the FF 3.5 Beta 4 Code freeze. The reasons are that we want FF 3.5 to get the numerous vulnerability fixes, but we do NOT want Firefox 3.5 RTM to take a major step between 3.12.2 and the final FIPS validated NSS 3.12.x. NSS 3.12.3 also fixes an NSS 3.12.2 deficiency that affects EV. When the application requests that NSS report verification failure in the absence of "fresh" revocation information, and the only form of revocation information for the cert is a CRL, and the CRL is not locally available, NSS 3.12.2 would erroneously report verification success. NSS 3.12.3 reports verification failure in that case, exactly as the application requests. This fix creates a situation for EV certs from some issuers. When verifying a cert chain for EV, PSM requests that NSS report verification failure in the absence of "fresh" revocation information. NSS 3.12.3 does not yet fetch CRLs on demand, so EV certs which depend on CRL fetching for revocation information will fail validation when PSM requests them to do so. This causes some EV certs to be shown as not EV. When Firefox 3.5 picks up 3.12.3, this issue can be resolved in one of (at least) 3 ways, including: 1) Change PSM to no longer specify that NSS must fail EV validation in the absence of fresh revocation information. This would preserve the behavior FF 3.0 has today. While not fully EV spec compliant, this approach at least makes the cause apparent in the source code, rather than being hidden (as a bug). 2) Take no remedial action. This will cause EV certs which specify CRLDP and not OCSP (and which have no active work arounds, such as in Bug 485052) to display without EV indicia. 3) Commit the patch for Bug 485052, which mitigates this problem for some of the big EV CAs. (This choice is not mutually exclusive with choice 1 above.) Firefox 3.0 already behaves as described in choice 1 above, but this behavior is 'hidden' in the code. I don't think this is a good state of affairs, either for us or our customers. We should either be in compliance, or document explicitly our non-compliance. In any case we shouldn't let this issue prevent picking up NSS 3.12.3. We don't want the final FF 3.5 adoption of NSS 3.12.next to be a large leap. Status of CRLDP fetching on demand: We have seen CRL fetching work, but a few CRL caching issues remain to be resolved, and the patch has not yet passed review or been committed. We expect this feature will be available in NSS 3.12.4 in a couple of weeks. bob
The tag NSS_3_12_3_RC0 now exists in the CVS tree.
Blocking P1 for Beta 4.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
push to ff 3.5 branch http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f160224c5221
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.