Remove hard-coded blocklisting in PSM for Comodo and Diginotar

RESOLVED FIXED in mozilla29

Status

()

--
minor
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: briansmith, Assigned: briansmith)

Tracking

Trunk
mozilla29
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 3 obsolete attachments)

This blocking is handled at the NSS level, so we don't need this PSM code. The DigiNotar-related code is part of the cause of bug 730734.
Created attachment 603349 [details] [diff] [review]
Remove hard-coded blocking of Comodogate certificates from PSM
Attachment #603349 - Flags: review?(kaie)
Created attachment 603351 [details] [diff] [review]
Remove hard-coded blocking of Diginotar certificates
Attachment #603351 - Flags: review?(kaie)
Brian, 

please explain for both Comodo and DigiNotar why your request is justified.
Aren't these checks redundant with the checks that are done in NSS, now that these certs are blacklisted at the NSS level?
And if the NSS-level checks are not sufficient, then we should fix that, since the NSS-level mechanism is the mechanism we are planning to use for future blocking, including blocking the TrustWave MITM cert. So, AFAICT, this is dead code.
Brian, you should implemented automatest tests that proof that your proposed changes are fine and still block the bad certs (I'm worried this code is still necessary).
Comment on attachment 603349 [details] [diff] [review]
Remove hard-coded blocking of Comodogate certificates from PSM

missing tests
Attachment #603349 - Flags: review?(kaie) → review-
Comment on attachment 603351 [details] [diff] [review]
Remove hard-coded blocking of Diginotar certificates

missing tests
Attachment #603351 - Flags: review?(kaie) → review-
Created attachment 771026 [details] [diff] [review]
Remove DigiNotar and Comodo hacks

Still needs tests.
Attachment #603349 - Attachment is obsolete: true
Attachment #603351 - Attachment is obsolete: true
Attachment #771026 - Flags: review?(cviecco)
Comment on attachment 771026 [details] [diff] [review]
Remove DigiNotar and Comodo hacks

Review of attachment 771026 [details] [diff] [review]:
-----------------------------------------------------------------

Do we have any tests that this is still working with the nss blacklist?
Attachment #771026 - Flags: review?(cviecco) → review+
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla29
Created attachment 8363448 [details] [diff] [review]
bug-733454.patch

Rebased, carrying over r+
Attachment #771026 - Attachment is obsolete: true
Attachment #8363448 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/4c4220bf9e14
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Why is this bug fixed without adding any tests?
Flags: needinfo?(brian)
(In reply to Masatoshi Kimura [:emk] from comment #14)
> Why is this bug fixed without adding any tests?

A combination of laziness and deadlines, and the fact that these certificates either expired already (2014-03-xx) and/or they were untrusted by other means. For example, we removed the Diginotar roots from NSS and we disabled MD5-based signature verification a while back.
Flags: needinfo?(brian)
You need to log in before you can comment on or make changes to this bug.