Closed Bug 481968 Opened 11 years ago Closed 11 years ago

Update mozilla-1.9.1 to pick up NSS 3.12.3 or newer

Categories

(Core :: Security: PSM, defect, P1)

1.9.1 Branch
x86
Linux
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

(Keywords: fixed1.9.1, Whiteboard: [sg:want])

Update mozilla-1.9.1 to pick up NSS 3.12.3 or newer

This is currently blocked by bug 474606.
And, as I understand it, this blocks bug 466745, yes?
Blocks: 466745
(In reply to comment #1)
> And, as I understand it, this blocks bug 466745, yes?

While bug 466745 is fixed in NSS, landing this updated snapshot is necessary for the fix to arrive in the application.
Depends on: 486182
Beta 4 code freeze is currently scheduled for April 7 (tomorrow) - is this likely to make that cutoff?
Even a release-candidate or beta tag might be good -- if you guys are done enough to be seriously testing that's probably OK for our beta if there won't be much change (personal guess, I'm not making those decisions for FF3.5). It'd be better to get most of the 3.12.3 changes tested in our beta than to get none and not be able to take 3.12.3 at all in our final for lack of client beta testing.
Today, the NSS team will tag our release candidate for NSS 3.12.3 RTM.

This new version contains fixes for numerous bugs and vulnerabilities, and
also is the code base that will begin FIPS validation in two weeks.  (We
will probably have one more release version after 3.12.3, explicitly to be
the "FIPS" version).

I believe mozilla should pick up 3.12.3 for FF 3.5 ASAP, in time for the
FF 3.5 Beta 4 Code freeze. The reasons are that we want FF 3.5 to get the
numerous vulnerability fixes, but we do NOT want Firefox 3.5 RTM to take
a major step between 3.12.2 and the final FIPS validated NSS 3.12.x.

NSS 3.12.3 also fixes an NSS 3.12.2 deficiency that affects EV. When the
application requests that NSS report verification failure in the absence
of "fresh" revocation information, and the only form of revocation
information for the cert is a CRL, and the CRL is not locally available,
NSS 3.12.2 would erroneously report verification success.  NSS 3.12.3
reports verification failure in that case, exactly as the application
requests.

This fix creates a situation for EV certs from some issuers.
When verifying a cert chain for EV, PSM requests that NSS report
verification failure in the absence of "fresh" revocation information.
NSS 3.12.3 does not yet fetch CRLs on demand, so EV certs which depend on
CRL fetching for revocation information will fail validation when PSM
requests them to do so.  This causes some EV certs to be shown as not EV.

When Firefox 3.5 picks up 3.12.3, this issue can be resolved in one of
(at least) 3 ways, including:

1) Change PSM to no longer specify that NSS must fail EV validation in the
absence of fresh revocation information.  This would preserve the behavior
FF 3.0 has today.  While not fully EV spec compliant, this approach at
least makes the cause apparent in the source code, rather than being
hidden (as a bug).

2) Take no remedial action. This will cause EV certs which specify CRLDP and
not OCSP (and which have no active work arounds, such as in Bug 485052) to
display without EV indicia.

3) Commit the patch for Bug 485052, which mitigates this problem for some of
the big EV CAs.  (This choice is not mutually exclusive with choice 1
above.)

Firefox 3.0 already behaves as described in choice 1 above, but this
behavior is 'hidden' in the code. I don't think this is a good state of
affairs, either for us or our customers. We should either be in compliance,
or document explicitly our non-compliance.

In any case we shouldn't let this issue prevent picking up NSS 3.12.3. We
don't want the final FF 3.5 adoption of NSS 3.12.next to be a large leap.

Status of CRLDP fetching on demand: We have seen CRL fetching work, but
a few CRL caching issues remain to be resolved, and the patch has not yet
passed review or been committed.  We expect this feature will be available
in NSS 3.12.4 in a couple of weeks.

bob
The tag NSS_3_12_3_RC0 now exists in the CVS tree.
Flags: blocking1.9.1?
Whiteboard: [sg:want]
Blocking P1 for Beta 4.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
push to ff 3.5 branch
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f160224c5221
Status: NEW → RESOLVED
Closed: 11 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
Depends on: 487673
No longer depends on: 487673
Depends on: 514955
You need to log in before you can comment on or make changes to this bug.