Closed Bug 757197 Opened 10 years ago Closed 10 years ago
May 2012 batch of NSS root CA changes
This single bug intends to deal with multiple pending change requests, as of mid May 2012, see dependency list.
Target Milestone: --- → 3.13.5
Version: 3.13.5 → 3.13.4
Ok, this bug also depends on bug 757189. We should make a decision which trust flag to use for consistency, and the patch in this bug should use the agreed not-explicitly-trusted flag from bug 757189
This patch adds 6 new root CA certificates as requested in 4 bugs. This patch also changes the the trust flags of 3 certificates as requested in 3 bugs. The certificate additions were created using the patch from bug 757189 (which uses the CKT_NSS_TRUST_UNKNOWN flag) and the following commands: addbuiltin -n "Actalis Authentication Root CA" -t C,,C < ~/moz/nss/head/root0512/actalis-742525.der >> certdata.txt addbuiltin -n "Trustis FPS Root CA" -t C,C, < ~/moz/nss/head/root0512/trustis-742514.der >> certdata.txt addbuiltin -n "StartCom Certification Authority" -t C,C,C < ~/moz/nss/head/root0512/startcom-sha256-751954.der >> certdata.txt addbuiltin -n "StartCom Certification Authority G2" -t C,C,C < ~/moz/nss/head/root0512/startcom-g2-751954.der >> certdata.txt addbuiltin -n "Buypass Class 2 Root CA" -t C,, < ~/moz/nss/head/root0512/buypass-c2-752103.der >> certdata.txt addbuiltin -n "Buypass Class 3 Root CA" -t C,, < ~/moz/nss/head/root0512/buypass-c3-752103.der >> certdata.txt
Assignee: nobody → kaie
I'm NOT yet requesting review. I propose to produce a test build first. As a first step, I propose that Kathleen might do a sanity check that the actions from bug 757189 didn't have a bad effect for the roots where we're doing the consistency cleanup (which should have zero effect on functionality.) Later, after the first step succeeded, I will proceed with asking CAs to test and give feedback.
The test build can be found at http://firstname.lastname@example.org/
The link in comment 4 will go away after a couple of days. A backup download locaiton is http://kuix.de/mozilla/tryserver-roots-20120521/
Comment on attachment 625758 [details] [diff] [review] Patch v1 We'll use a different patch and a new build, because we want to use a different approach for bug 757189 and we want to include bug 760167, too.
Attachment #625758 - Attachment is obsolete: true
This patch must be applied on top of the patch from bug 757189.
I created an updated try build http://email@example.com/ I created backups at http://kuix.de/mozilla/tryserver-roots-20120604/
Comment on attachment 629325 [details] [diff] [review] Patch v3 Bob, we've received all the necessary testing confirmation, therefore I'd like to ask for your code review. Thanks
Attachment #629325 - Flags: review?(rrelyea)
Comment on attachment 629325 [details] [diff] [review] Patch v3 r+ rrelyea
Attachment #629325 - Flags: review?(rrelyea) → review+
trunk for 3.14: cvs commit: Examining . Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.88; previous revision: 1.87 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.85; previous revision: 1.84 done 3.13.4 branch for 3.13.6: cvs commit: Examining . Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 126.96.36.199; previous revision: 188.8.131.52 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 184.108.40.206; previous revision: 220.127.116.11 done
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Kai, anything QA needs to be on the lookout for in terms of potential Firefox 10.0.12esr regressions?
Anthony, besides new root CA certs now being trusted by Firefox (now the same set of certificates that are trusted in the most recent release of Firefox 18), you shouldn't see anything else.
Do we know of any websites utilizing the new root CA certs that we can spotcheck?
As per bug 795355 comment 16, adding verifyme to spotcheck the test URLs mentioned in the dependent bugs.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #15) > Do we know of any websites utilizing the new root CA certs that we can > spotcheck? Bug #718841 -- https://www.verisign.com Bug #722843 -- https://www.thawte.com/ Bug #742514 -- https://www.trustis.com/ Bug #742525 -- https://portal-pte.actalis.it/ Bug #751954 -- https://www.startssl.com/ , https://g2.startcom.org/ Bug #752103 -- https://valid.domainplus.ca22.ssl.buypass.no/CA2Class2 https://valid.evident.ca23.ssl.buypass.no/CA2Class3 Bug #752110 – https://repository.trust.teliasonera.com/ Bug #757189 – none Bug #760167 -- none
Thank you Kathleen!
Verified fixed on Firefox 10.0.12 ESR, for the following OSs: Windows 7 64-bit, Ubuntu 12.04 32-bit, Mac OSX 10.8. I've also done some exploratory on these links: refreshing tabs, closing & reopening tabs, session restore, etc. Build ID: 20130103094221 User Agents: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
Thank you Manuela!
You need to log in before you can comment on or make changes to this bug.