January 2014 batch of EV root CA changes

RESOLVED FIXED in mozilla30

Status

()

Core
Security: PSM
--
enhancement
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Kathleen Wilson, Assigned: cviecco)

Tracking

unspecified
mozilla30
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The purpose of this bug is to use a single patch to make the code changes for the January 2014 batch of EV-enablement changes (see the list of bugs this one blocks).

Please enable EV treatment for the following root certs by making the requested modifications to
source/security/manager/ssl/src/nsIdentityChecking.cpp

Bug #935674 – Firmaprofesional
Test URL: https://publifirma.firmaprofesional.com/
Add these lines:
{
// CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES
"1.3.6.1.4.1.13177.10.1.3.10",
"Firmaprofesional EV OID",
SEC_OID_UNKNOWN,
"AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA",
“MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh”
“Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=”,
“U+w77vuySF8=”,
nullptr
},

Bug #901608 – TWCA 
Test URL: https://evssldemo3.twca.com.tw/index.html 
Add these lines:
{
// CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW
"1.3.6.1.4.1.40869.1.1.22.3",
"TWCA EV OID",
SEC_OID_UNKNOWN,
"9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65",
“MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv”
“b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=”,
“DL4=”,
nullptr
},

Bug #915946 – E-Tugra
Test URL: https://sslev.e-tugra.com.tr/
Add these lines:
{
// CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L = Ankara, C = TR
"2.16.792.3.0.4.1.1.4",
"ETugra EV OID",
SEC_OID_UNKNOWN,
"51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39",
“MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1”
“xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu”
“xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG”
“A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==”,
“amg+nFGby1M=”,
nullptr
},


After you make the change, please update this bug with a link to the test build. I will test, and then ask the corresponding CAs to test.

Thanks.
(Assignee)

Updated

4 years ago
Assignee: nobody → cviecco
(Assignee)

Comment 1

4 years ago
 https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0

However the  TWCA  site is a fail. :( there is something wrong witht the ocsp (I think is their side) so the page will halt for a while and then fallback to dv.
Can we defer this to Firefox 31? We have many things to do for Firefox 30 still and we're running out of runway--especially if you still want the 1024-bit root removals to happen in Firefox 29 or 30.
Flags: needinfo?(kwilson)
(Reporter)

Comment 3

4 years ago
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #2)
> Can we defer this to Firefox 31? 

Yes.
Flags: needinfo?(kwilson)
(Reporter)

Comment 4

4 years ago
(In reply to Camilo Viecco (:cviecco) from comment #1)
>  https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0
> 
> However the  TWCA  site is a fail. :( there is something wrong witht the
> ocsp (I think is their side) so the page will halt for a while and then
> fallback to dv.


Interesting. I tested it yesterday with ESR 24 debug, and got the EV treatment. 
I'll test it again tomorrow.
(Reporter)

Comment 5

4 years ago
(In reply to Kathleen Wilson from comment #4)
> (In reply to Camilo Viecco (:cviecco) from comment #1)
> >  https://tbpl.mozilla.org/?tree=Try&rev=41859fee58b0
> > 
> > However the  TWCA  site is a fail. :( there is something wrong witht the
> > ocsp (I think is their side) so the page will halt for a while and then
> > fallback to dv.
> 
> 
> Interesting. I tested it yesterday with ESR 24 debug, and got the EV
> treatment. 
> I'll test it again tomorrow.


I just tested again with ESR 24 debug, and got the EV treatment for the TWCA test.

Will try again when we're ready to test with FF 31. 

Thanks.
(Assignee)

Comment 6

4 years ago
So I think there is a race condition on the display of EV certs.

I was looking at the logs and notices that sometimes EV was declared successful

If I try https://evssldemo3.twca.com.tw/index_files/logo_en.gif (erasing history) and reloading several times eventually the display wins the race and I get ev treatment. Will ned to investigate this further.

Comment 7

4 years ago
I  use released version of Firefox to test, and set the option of OCSP validation fail will treat the certificate is invalid.
The DV status is OK. I have not test the EV treatment, where can I download the test version?

Thanks,
Robin Lin
(Assignee)

Comment 8

4 years ago
(In reply to Robin Lin from comment #7)
> I  use released version of Firefox to test, and set the option of OCSP
> validation fail will treat the certificate is invalid.
> The DV status is OK. I have not test the EV treatment, where can I download
> the test version?
You can download from at https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/cviecco@mozilla.com-41859fee58b0/

The issue that I found is that (from the mozilla office) DNS resolution for the ocsp responers is too slow (2.5 seconds to report initial failure) and thus the tiemout for getting ocsp responses is reached (10 seconds after multiple DNS resolution attemps), and we fallback to DV validation. Once it is on the DV path we currently cache the resource with the ssl state so that from that moment on we keep showing DV status for that particular URL until the browser cache gets invalidated.
(Reporter)

Comment 9

4 years ago
(In reply to Camilo Viecco (:cviecco) from comment #8)
> Once it
> is on the DV path we currently cache the resource with the ssl state so that
> from that moment on we keep showing DV status for that particular URL until
> the browser cache gets invalidated.

So, if a website upgrades to an EV SSL cert, all of their customers who previously browsed to their website will not see the EV treatment until they refresh their browser cache?
My understanding is if the certificate changes, the cached status will be updated.

Comment 11

4 years ago
I used nightly build 30 to test, both our 2048 bits and 4096 bits CA could not get the EV treatment.
But it is OK for existing EV Root if using Firefox 27.
(Reporter)

Comment 12

4 years ago
(In reply to Camilo Viecco (:cviecco) from comment #6)
> So I think there is a race condition on the display of EV certs.

(In reply to Robin Lin from comment #11)
> I used nightly build 30 to test, both our 2048 bits and 4096 bits CA could
> not get the EV treatment.
> But it is OK for existing EV Root if using Firefox 27.

Camilo, Did something change between Firefox 27 and Firefox 30 that might explain why we are now seeing this race condition?
(Assignee)

Comment 13

4 years ago
> 
> Camilo, Did something change between Firefox 27 and Firefox 30 that might
> explain why we are now seeing this race condition?

The OCSP timeouts where reduced, so it went from 20 secs to 13 secs for EV. Anyway 13 seconds is way too much. I just tested the TWCA site and it worked with EV now. (seems like DNS is now better)
(Assignee)

Comment 14

4 years ago
Created attachment 8389465 [details] [diff] [review]
ev-jan-2014-batch
Attachment #8389465 - Flags: review?(dkeeler)
Comment on attachment 8389465 [details] [diff] [review]
ev-jan-2014-batch

Review of attachment 8389465 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.
Attachment #8389465 - Flags: review?(dkeeler) → review+
https://hg.mozilla.org/mozilla-central/rev/a1a9976d954e
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
(Reporter)

Comment 17

4 years ago
Thanks!
You need to log in before you can comment on or make changes to this bug.