September 2012 batch of root CA changes

VERIFIED FIXED in Firefox -esr10

Status

NSS
CA Certificates Code
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

({verifyme})

3.14
3.14
verifyme
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr1018+ verified, firefox-esr1718+ verified)

Details

Attachments

(1 attachment, 3 obsolete attachments)

(Assignee)

Description

5 years ago
This single bug intends to deal with multiple pending change requests, as of September 2012,
see dependency list.
(Assignee)

Comment 1

5 years ago
Created attachment 668019 [details] [diff] [review]
patch v1

Patch. Delaying review until we have test feedback for the changes.

Test build started:
https://tbpl.mozilla.org/?tree=Try&rev=564a5a2618f5
Assignee: nobody → kaie
(Assignee)

Updated

5 years ago
No longer depends on: 795020
(Assignee)

Comment 2

5 years ago
Created attachment 669320 [details] [diff] [review]
patch v3

This updated patch is a subset of the previous patch.

It contains the roots from TurkTrust and T-TeleSec, that have been confirmed as having been correctly added in the test build.
Attachment #668019 - Attachment is obsolete: true
Attachment #669320 - Flags: review?(rrelyea)
(Assignee)

Comment 3

5 years ago
Created attachment 669322 [details] [diff] [review]
Patch v4

Updated patch to increase the version number of the builtins module.
Attachment #669320 - Attachment is obsolete: true
Attachment #669320 - Flags: review?(rrelyea)
Attachment #669322 - Flags: review?(rrelyea)
(Assignee)

Comment 4

5 years ago
Created attachment 670464 [details] [diff] [review]
Patch v5

Given that Bob hadn't yet started the review, I'm updating the patch again.

This once again includes all 3 new roots. It's the same set of roots that had been included in the test build, plus the version number change.
Attachment #669322 - Attachment is obsolete: true
Attachment #669322 - Flags: review?(rrelyea)
Attachment #670464 - Flags: review?(rrelyea)

Comment 5

5 years ago
Kai, where's the bug for the 3rd root?

Updated

5 years ago
Depends on: 795020

Comment 6

5 years ago
Comment on attachment 670464 [details] [diff] [review]
Patch v5

r+ found the bug and attached it.

bob
Attachment #670464 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 7

5 years ago
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.90; previous revision: 1.89
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.86; previous revision: 1.85
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.38; previous revision: 1.37
done
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.14
(Assignee)

Comment 8

5 years ago
Also landed on NSS_3_13_4_BRANCH.

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/Attic/certdata.c,v  <--  certdata.c
new revision: 1.85.2.3; previous revision: 1.85.2.2
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.82.2.3; previous revision: 1.82.2.2
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.35.2.2; previous revision: 1.35.2.1
done
(Assignee)

Comment 9

5 years ago
Should we adjust the target milestone to 3.13.7 ?
(Assignee)

Updated

5 years ago
tracking-firefox-esr10: --- → ?
tracking-firefox17: --- → ?
(Assignee)

Updated

5 years ago
tracking-firefox17: ? → ---
tracking-firefox-esr17: --- → ?
(Assignee)

Comment 10

5 years ago
Comment on attachment 670464 [details] [diff] [review]
Patch v5

Required as a base patch for root module consistency across Firefox branches.
Attachment #670464 - Flags: approval-mozilla-esr17?
Attachment #670464 - Flags: approval-mozilla-esr10?

Updated

5 years ago
status-firefox-esr10: --- → affected
status-firefox-esr17: --- → affected
tracking-firefox-esr10: ? → 18+
tracking-firefox-esr17: ? → 18+

Updated

5 years ago
Attachment #670464 - Flags: approval-mozilla-esr17?
Attachment #670464 - Flags: approval-mozilla-esr17+
Attachment #670464 - Flags: approval-mozilla-esr10?
Attachment #670464 - Flags: approval-mozilla-esr10+
(Assignee)

Comment 11

5 years ago
https://hg.mozilla.org/releases/mozilla-esr17/rev/1c235f2c2c27
status-firefox-esr17: affected → fixed
(Assignee)

Comment 12

5 years ago
https://hg.mozilla.org/releases/mozilla-esr10/rev/ef60da380f1b
status-firefox-esr10: affected → fixed
Kai, anything QA needs to be on the lookout for in terms of potential Firefox 10.0.12esr and 17.0.2esr regressions?
Whiteboard: [qa?]
(Assignee)

Comment 14

5 years ago
Anthony, besides new root CA certs now being trusted by Firefox (now the same set of certificates that are trusted in the most recent release of Firefox 18), you shouldn't see anything else.
Do we know of any websites using the new root CA certs that we could spotcheck?
(Assignee)

Comment 16

5 years ago
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #15)
> Do we know of any websites using the new root CA certs that we could
> spotcheck?

See the dependency list in this bug (and in the may 2012 bug). Each bug should have a link to an example page.
Thanks Kai. Adding verifyme to spotcheck the test URLs mentioned in the dependency bugs.
Keywords: verifyme
Whiteboard: [qa?]

Comment 18

5 years ago
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #15)
> Do we know of any websites using the new root CA certs that we could
> spotcheck?

bug #795355 -- Test URL: https://root-class3.test.telesec.de 

bug #768547 -- Test URL: https://evssl.turktrust.com.tr
(should fail)

bug #795020 -- Test URL: https://www.openxades.org/
Wow, thanks Kathleen! Would you be able to add a similar update to bug 757197?

Updated

5 years ago
No longer depends on: 768547
Verified fixed on Firefox 10.0.12 ESR, for the following OSs: Windows 7 64-bit, Ubuntu 12.04 32-bit, Mac OSX 10.8. 

Build ID: 20130103094221

User Agents:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
status-firefox-esr10: fixed → verified
QA Contact: manuela.muntean
Thank you Manuela. Can you also please test this against the 17.0.2esr candidate builds (they should be appearing on FTP in a few hours)?
Verified fixed on Firefox 17.0.2 ESR, for the following OSs: Windows 7 64-bit, Ubuntu 12.04 32-bit, Mac OSX 10.8. 

Build ID: 20130107124423

User Agents:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20100101 Firefox/17.0


I couldn't connect to the server for this page: https://evssl.turktrust.com.tr (that should fail the test), neither on Firefox nor on Chrome, for all 3 OSs tested.
Status: RESOLVED → VERIFIED
status-firefox-esr17: fixed → verified
You need to log in before you can comment on or make changes to this bug.