Closed Bug 915930 (mozilla::pkix) Opened 6 years ago Closed 5 years ago

Make mozilla::pkix the default certificate verifier

Categories

(Core :: Security: PSM, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla31
Tracking Status
firefox31 + verified
relnote-firefox --- 31+

People

(Reporter: briansmith, Assigned: cviecco)

References

(Blocks 2 open bugs)

Details

(Keywords: feature)

Attachments

(1 file, 1 obsolete file)

No description provided.
No longer depends on: 915931
No longer blocks: 923304
Alias: insanity::pkix
No longer depends on: 871954
Assignee: nobody → brian
Status: NEW → ASSIGNED
Matt, I'd like us to run the same kind of tests that we ran for testing TLS 1.2 compatibility against this feature, using the scripts you wrote. I suspect that we'll be ready for doing that testing in a day or two. If at all possible, we should try to do the compatibility testing in the next couple of weeks, if not sooner. If that time frame doesn't work for you, could you please send me the latest version of your testing script so I can try to run it? This is a high-priority feature and parts of it were uplifted to Firefox 29 already.
Flags: needinfo?(mwobensmith)
Keywords: qawanted
Sounds great. Will do. We can run the script at any time. 

Just let me know when we are ready to do so, as it sounds as if there are dependencies that we are waiting on.
Flags: needinfo?(mwobensmith)
QA Contact: mwobensmith
Priority: -- → P2
No longer depends on: 966856
This should go in the Firefox 30 release notes.
This should not go into the Firefox 29 release notes.
I suspect you may want to wait until it is RESOLVED FIXED though.
relnote-firefox: --- → ?
Re-assigning the tracking bug because I'm basically on the hook for this.
Assignee: brian → dkeeler
Assignee: dkeeler → brian
Depends on: 982248
Depends on: 982340
Blocks: 985025
No longer depends on: 985025
I'm beginning the renaming of open bugs with "insanity::pkix" in the title as part of renaming the project to "mozilla::pkix". You'll likely receive a lot of bugspam. Apologies in advance.
Alias: insanity::pkix → mozilla::pkix
Summary: Make insanity::pkix the default certificate verifier → Make mozilla::pkix the default certificate verifier
Depends on: 988462
No longer depends on: 982340
No longer depends on: 982536
No longer depends on: 986171
Depends on: 989051
Attached patch patch (obsolete) — Splinter Review
Since bug 986156 is inbound and bug 987295 and bug 989516 are ready to land, we're looking to turn this on today. The intention of this patch is to add the pref (default false) to anything using gecko. Adding the pref (default true) in firefox.js makes it so it is only enabled in Firefox.
Attachment #8399611 - Flags: review?(cviecco)
Attachment #8399611 - Flags: feedback?(brian)
Comment on attachment 8399611 [details] [diff] [review]
patch

Review of attachment 8399611 [details] [diff] [review]:
-----------------------------------------------------------------

Why dont we make another bug (with this patch) to enable mozilla::pkix in firefox(only) and leave this when we what to have all products with it as default? (when we actually change the value in nsNSSComponent)
Attachment #8399611 - Flags: review?(cviecco) → review-
Comment on attachment 8399611 [details] [diff] [review]
patch

Ok - filed bug 990248.
Attachment #8399611 - Attachment is obsolete: true
Attachment #8399611 - Flags: feedback?(brian)
Target Milestone: --- → mozilla30
Depends on: 991209
No longer depends on: 990557
No longer depends on: 994981
Do we know if it is going to be shipped with 30?
It is on 30,(In reply to Sylvestre Ledru [:sylvestre] from comment #9)
> Do we know if it is going to be shipped with 30?

The new certverifier is on 30 but it is not enabled by default as it has several performance and compatibility issues. The goal is default for 31.
No longer depends on: 997994
No longer depends on: 982248, 982340
Hey brian, can you take a look at the patch. Do you think we can land this as default before 31 becomes aurora? (if so please review the patch) I can land it.
Flags: needinfo?(brian)
Comment on attachment 8412359 [details] [diff] [review]
make-mozilla-pkix-default-certverifier

Review of attachment 8412359 [details] [diff] [review]:
-----------------------------------------------------------------

This fill fix an issue on android (Bug  1001240) so we want it before the uplift on monday (this is just flippling a switch for all gecko instead of only for desktop).
Attachment #8412359 - Flags: review?(honzab.moz)
Assignee: brian → cviecco
Flags: needinfo?(brian)
Comment on attachment 8412359 [details] [diff] [review]
make-mozilla-pkix-default-certverifier

Review of attachment 8412359 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks. I suggest emailing dev-platform to let the Thunderbird/SeaMonkey people know that they should look for trouble. You may want to explicitly mention bug 982340 to them.
Attachment #8412359 - Flags: review?(honzab.moz) → review+
No longer depends on: 916629, 998517
https://hg.mozilla.org/mozilla-central/rev/83c0c0d2436d
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Marking tracking for 31 so that we can get this into QA test plans while it's on beta -- can someone put in steps for QA verification on this new feature?
Flags: needinfo?(twalker)
Flags: needinfo?(cviecco)
Flags: needinfo?(anthony.s.hughes)
This page should have the information necessary to test: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing
Testing basically consists of browsing https sites and making sure we get the same results as before (in some cases the behavior is different, but we definitely shouldn't be breaking any sites that use a certificate signed by a CA in our root program). The pref "security.use_mozillapkix_verification" controls whether or not the new library is in use.
There's also an automated compatibility testing script Matt Wobensmith developed. It would be great to run that, too.
Flags: needinfo?(cviecco)
(In reply to Lukas Blakk [:lsblakk] from comment #17)
> Marking tracking for 31 so that we can get this into QA test plans while it's on beta

Assuming you mean Firefox 30 Beta based on the status flags. Matt is already assigned here so I trust he can take care of verifying this is fixed.
Flags: needinfo?(twalker)
Flags: needinfo?(anthony.s.hughes)
Keywords: feature, verifyme
Yes, I'll own QA verification. Thanks all.
This doesn't look to have landed on 30 at all - can someone confirm? I see it landing pre-merge to central (31). Also, yes, Matt will have this (my confusion was about this not being a sec bug)
This feature was targeted for Fx31. I believe it's present in Fx30 but off by default.
Added in the release notes: "mozilla::pkix as default certificate verifier"
This isn't meant to be enabled in 30.
Target Milestone: mozilla30 → mozilla31
Hi Matt, as we get close to the release for 31 we're looking to verify all fixes marked as "verifyme". Since this is one of them, I wanted to ask you whether you're handling this one or if you need some help from us.
Flags: needinfo?(mwobensmith)
The default setting for mozilla::pkix in Fx31 is indeed turned on, so I am marking this as verified.
Flags: needinfo?(mwobensmith)
Depends on: 1036338
Depends on: 1189145
You need to log in before you can comment on or make changes to this bug.