Closed Bug 915930 (mozilla::pkix) Opened 7 years ago Closed 6 years ago
Make mozilla::pkix the default certificate verifier
No description provided.
No longer depends on: 915931
No longer blocks: 923304
No longer depends on: 871954
Assignee: nobody → brian
Status: NEW → ASSIGNED
Matt, I'd like us to run the same kind of tests that we ran for testing TLS 1.2 compatibility against this feature, using the scripts you wrote. I suspect that we'll be ready for doing that testing in a day or two. If at all possible, we should try to do the compatibility testing in the next couple of weeks, if not sooner. If that time frame doesn't work for you, could you please send me the latest version of your testing script so I can try to run it? This is a high-priority feature and parts of it were uplifted to Firefox 29 already.
Sounds great. Will do. We can run the script at any time. Just let me know when we are ready to do so, as it sounds as if there are dependencies that we are waiting on.
No longer depends on: 966856
This should go in the Firefox 30 release notes. This should not go into the Firefox 29 release notes. I suspect you may want to wait until it is RESOLVED FIXED though.
Re-assigning the tracking bug because I'm basically on the hook for this.
Assignee: brian → dkeeler
Assignee: dkeeler → brian
Depends on: 985021
Depends on: 985025
Depends on: 985201
Depends on: 986171
I'm beginning the renaming of open bugs with "insanity::pkix" in the title as part of renaming the project to "mozilla::pkix". You'll likely receive a lot of bugspam. Apologies in advance.
Alias: insanity::pkix → mozilla::pkix
Summary: Make insanity::pkix the default certificate verifier → Make mozilla::pkix the default certificate verifier
Depends on: 987262
Depends on: 987295
No longer depends on: 982340
No longer depends on: 982536
No longer depends on: 986171
Depends on: 989516
Since bug 986156 is inbound and bug 987295 and bug 989516 are ready to land, we're looking to turn this on today. The intention of this patch is to add the pref (default false) to anything using gecko. Adding the pref (default true) in firefox.js makes it so it is only enabled in Firefox.
Comment on attachment 8399611 [details] [diff] [review] patch Review of attachment 8399611 [details] [diff] [review]: ----------------------------------------------------------------- Why dont we make another bug (with this patch) to enable mozilla::pkix in firefox(only) and leave this when we what to have all products with it as default? (when we actually change the value in nsNSSComponent)
Attachment #8399611 - Flags: review?(cviecco) → review-
Depends on: 990248
Comment on attachment 8399611 [details] [diff] [review] patch Ok - filed bug 990248.
Depends on: 991177
Depends on: 991902
No longer depends on: 990557
No longer depends on: 994981
No longer depends on: 989051
Do we know if it is going to be shipped with 30?
It is on 30,(In reply to Sylvestre Ledru [:sylvestre] from comment #9) > Do we know if it is going to be shipped with 30? The new certverifier is on 30 but it is not enabled by default as it has several performance and compatibility issues. The goal is default for 31.
Depends on: 997843
Depends on: 997994
No longer depends on: 997994
Depends on: 998517
Hey brian, can you take a look at the patch. Do you think we can land this as default before 31 becomes aurora? (if so please review the patch) I can land it.
Comment on attachment 8412359 [details] [diff] [review] make-mozilla-pkix-default-certverifier Review of attachment 8412359 [details] [diff] [review]: ----------------------------------------------------------------- This fill fix an issue on android (Bug 1001240) so we want it before the uplift on monday (this is just flippling a switch for all gecko instead of only for desktop).
Attachment #8412359 - Flags: review?(honzab.moz)
Assignee: brian → cviecco
Comment on attachment 8412359 [details] [diff] [review] make-mozilla-pkix-default-certverifier Review of attachment 8412359 [details] [diff] [review]: ----------------------------------------------------------------- Thanks. I suggest emailing dev-platform to let the Thunderbird/SeaMonkey people know that they should look for trouble. You may want to explicitly mention bug 982340 to them.
Attachment #8412359 - Flags: review?(honzab.moz) → review+
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Marking tracking for 31 so that we can get this into QA test plans while it's on beta -- can someone put in steps for QA verification on this new feature?
This page should have the information necessary to test: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing Testing basically consists of browsing https sites and making sure we get the same results as before (in some cases the behavior is different, but we definitely shouldn't be breaking any sites that use a certificate signed by a CA in our root program). The pref "security.use_mozillapkix_verification" controls whether or not the new library is in use. There's also an automated compatibility testing script Matt Wobensmith developed. It would be great to run that, too.
(In reply to Lukas Blakk [:lsblakk] from comment #17) > Marking tracking for 31 so that we can get this into QA test plans while it's on beta Assuming you mean Firefox 30 Beta based on the status flags. Matt is already assigned here so I trust he can take care of verifying this is fixed.
Yes, I'll own QA verification. Thanks all.
This doesn't look to have landed on 30 at all - can someone confirm? I see it landing pre-merge to central (31). Also, yes, Matt will have this (my confusion was about this not being a sec bug)
This feature was targeted for Fx31. I believe it's present in Fx30 but off by default.
Added in the release notes: "mozilla::pkix as default certificate verifier"
Target Milestone: mozilla30 → mozilla31
Hi Matt, as we get close to the release for 31 we're looking to verify all fixes marked as "verifyme". Since this is one of them, I wanted to ask you whether you're handling this one or if you need some help from us.
The default setting for mozilla::pkix in Fx31 is indeed turned on, so I am marking this as verified.
Depends on: CVE-2014-8642
You need to log in before you can comment on or make changes to this bug.