Closed Bug 962740 Opened 6 years ago Closed 6 years ago

January 2014 batch of EV root CA changes

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: kwilson, Assigned: cviecco)

References

Details

Attachments

(1 file)

The purpose of this bug is to use a single patch to make the code changes for the January 2014 batch of EV-enablement changes (see the list of bugs this one blocks).

Please enable EV treatment for the following root certs by making the requested modifications to
source/security/manager/ssl/src/nsIdentityChecking.cpp

Bug #935674 – Firmaprofesional
Test URL: https://publifirma.firmaprofesional.com/
Add these lines:
{
// CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES
"1.3.6.1.4.1.13177.10.1.3.10",
"Firmaprofesional EV OID",
SEC_OID_UNKNOWN,
"AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA",
“MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh”
“Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=”,
“U+w77vuySF8=”,
nullptr
},

Bug #901608 – TWCA 
Test URL: https://evssldemo3.twca.com.tw/index.html 
Add these lines:
{
// CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW
"1.3.6.1.4.1.40869.1.1.22.3",
"TWCA EV OID",
SEC_OID_UNKNOWN,
"9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65",
“MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv”
“b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=”,
“DL4=”,
nullptr
},

Bug #915946 – E-Tugra
Test URL: https://sslev.e-tugra.com.tr/
Add these lines:
{
// CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L = Ankara, C = TR
"2.16.792.3.0.4.1.1.4",
"ETugra EV OID",
SEC_OID_UNKNOWN,
"51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39",
“MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1”
“xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu”
“xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG”
“A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==”,
“amg+nFGby1M=”,
nullptr
},


After you make the change, please update this bug with a link to the test build. I will test, and then ask the corresponding CAs to test.

Thanks.
Assignee: nobody → cviecco
 https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0

However the  TWCA  site is a fail. :( there is something wrong witht the ocsp (I think is their side) so the page will halt for a while and then fallback to dv.
Can we defer this to Firefox 31? We have many things to do for Firefox 30 still and we're running out of runway--especially if you still want the 1024-bit root removals to happen in Firefox 29 or 30.
Flags: needinfo?(kwilson)
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #2)
> Can we defer this to Firefox 31? 

Yes.
Flags: needinfo?(kwilson)
(In reply to Camilo Viecco (:cviecco) from comment #1)
>  https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0
> 
> However the  TWCA  site is a fail. :( there is something wrong witht the
> ocsp (I think is their side) so the page will halt for a while and then
> fallback to dv.


Interesting. I tested it yesterday with ESR 24 debug, and got the EV treatment. 
I'll test it again tomorrow.
(In reply to Kathleen Wilson from comment #4)
> (In reply to Camilo Viecco (:cviecco) from comment #1)
> >  https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0
> > 
> > However the  TWCA  site is a fail. :( there is something wrong witht the
> > ocsp (I think is their side) so the page will halt for a while and then
> > fallback to dv.
> 
> 
> Interesting. I tested it yesterday with ESR 24 debug, and got the EV
> treatment. 
> I'll test it again tomorrow.


I just tested again with ESR 24 debug, and got the EV treatment for the TWCA test.

Will try again when we're ready to test with FF 31. 

Thanks.
So I think there is a race condition on the display of EV certs.

I was looking at the logs and notices that sometimes EV was declared successful

If I try https://evssldemo3.twca.com.tw/index_files/logo_en.gif (erasing history) and reloading several times eventually the display wins the race and I get ev treatment. Will ned to investigate this further.
I  use released version of Firefox to test, and set the option of OCSP validation fail will treat the certificate is invalid.
The DV status is OK. I have not test the EV treatment, where can I download the test version?

Thanks,
Robin Lin
(In reply to Robin Lin from comment #7)
> I  use released version of Firefox to test, and set the option of OCSP
> validation fail will treat the certificate is invalid.
> The DV status is OK. I have not test the EV treatment, where can I download
> the test version?
You can download from at https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/cviecco@mozilla.com-41859fee58b0/

The issue that I found is that (from the mozilla office) DNS resolution for the ocsp responers is too slow (2.5 seconds to report initial failure) and thus the tiemout for getting ocsp responses is reached (10 seconds after multiple DNS resolution attemps), and we fallback to DV validation. Once it is on the DV path we currently cache the resource with the ssl state so that from that moment on we keep showing DV status for that particular URL until the browser cache gets invalidated.
(In reply to Camilo Viecco (:cviecco) from comment #8)
> Once it
> is on the DV path we currently cache the resource with the ssl state so that
> from that moment on we keep showing DV status for that particular URL until
> the browser cache gets invalidated.

So, if a website upgrades to an EV SSL cert, all of their customers who previously browsed to their website will not see the EV treatment until they refresh their browser cache?
My understanding is if the certificate changes, the cached status will be updated.
I used nightly build 30 to test, both our 2048 bits and 4096 bits CA could not get the EV treatment.
But it is OK for existing EV Root if using Firefox 27.
(In reply to Camilo Viecco (:cviecco) from comment #6)
> So I think there is a race condition on the display of EV certs.

(In reply to Robin Lin from comment #11)
> I used nightly build 30 to test, both our 2048 bits and 4096 bits CA could
> not get the EV treatment.
> But it is OK for existing EV Root if using Firefox 27.

Camilo, Did something change between Firefox 27 and Firefox 30 that might explain why we are now seeing this race condition?
> 
> Camilo, Did something change between Firefox 27 and Firefox 30 that might
> explain why we are now seeing this race condition?

The OCSP timeouts where reduced, so it went from 20 secs to 13 secs for EV. Anyway 13 seconds is way too much. I just tested the TWCA site and it worked with EV now. (seems like DNS is now better)
Attachment #8389465 - Flags: review?(dkeeler)
Comment on attachment 8389465 [details] [diff] [review]
ev-jan-2014-batch

Review of attachment 8389465 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.
Attachment #8389465 - Flags: review?(dkeeler) → review+
https://hg.mozilla.org/mozilla-central/rev/a1a9976d954e
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Thanks!
You need to log in before you can comment on or make changes to this bug.