Closed Bug 967153 Opened 10 years ago Closed 10 years ago

Update NSS to NSS 3.16

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox29 + fixed
firefox30 --- fixed

People

(Reporter: briansmith, Assigned: cviecco)

References

Details

Attachments

(1 file)

      No description provided.
NSS 3.16 removes some root certificate authority certificates that have weak keys. We had previously committed ourselves to remove these roots in Firefox 29. So, we should uplift this change to Firefox 29.

My plan is to let NSS 3.15.5 beta 3 live on Nightly for at least one day, then land NSs 3.16 beta 1 to mozilla-inbound later this week, and then uplift NSS 3.16 beta 1 to Mozilla-Aurora later this week or early next week.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla30
https://hg.mozilla.org/integration/mozilla-inbound/rev/9e5d07c8c87b
https://hg.mozilla.org/integration/mozilla-inbound/rev/5b5e7559cda5
https://hg.mozilla.org/integration/mozilla-inbound/rev/81e6988807de

The second commit makes NSS 3.16 the minimum acceptable version of NSS for system NSS. The third commit adds the NSS name constraint test cases that should have been added in the first commit (I forgot to "hg addremove").
Blocks: 900727, 915931
Attached file Update NSS to NSS 3.16
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Kathleen Wilson (Mozilla CA Policy Module Owner) needs to have NSS updated to NSS 3.16 in Firefox 29 in order to remove some root certificates that are using weak (1024-bit) keys.

User impact if declined: More susceptibility to crypto, broken promises, crushed dreams.

Testing completed (on m-c, etc.): This has been on m-c since yesterday. We are doing these root removals in coordination with the CAs, who already have other roots with stronger keys in NSS.

Risk to taking this patch (and alternatives if risky): Some compatibility risk if there are any websites that require these removed roots.

String or IDL/UUID changes made by this patch: None.
Attachment #8374644 - Flags: approval-mozilla-aurora?
Attachment #8374644 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
No longer blocks: 896620
Depends on: 973592
No longer blocks: 915931
Depends on: 974262
Depends on: 974500
No longer blocks: 900727
NSS 3.16 beta3 undoes the 1024-bit root removals that were causing the compatibility problems, so removing the dependencies on bug 974500, bug 973592, and bug 974262.
No longer depends on: 973592, 974262, 974500
Bug 968567 isn't needed in the NSS 3.16 timeframe so removing that bug's dependency on this bug.
No longer blocks: 968567
NSS 3.16 (NSS_3_16_RTM) pushed to mozilla-inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8ff12456c32b
Priority: -- → P1
Whiteboard: [leave open]
https://hg.mozilla.org/mozilla-central/rev/8ff12456c32b
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
status-firefox29 ISN'T yet fixed, because the RTM version still needs to land into the 29 branch (today still aurora).

Camilo, can you please help to get this done?
Assignee: brian → cviecco
Will do.
Comment on attachment 8374644 [details]
Update NSS to NSS 3.16

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Kathleen Wilson (Mozilla CA Policy Module Owner) needs to have NSS updated to NSS 3.16 in Firefox 29 in order to remove some root certificates that are using weak (1024-bit) keys. There was some confusion and the RTM version did not land in aurora before the merge (just the beta 5).

User impact if declined: More susceptibility to crypto, broken promises, crushed dreams.

Testing completed (on m-c, etc.): The latest version has been on m-c since friday (beta 5 since 2 weeks ago). We are doing these root removals in coordination with the CAs, who already have other roots with stronger keys in NSS.

Risk to taking this patch (and alternatives if risky): Some compatibility risk if there are any websites that require these removed roots.

String or IDL/UUID changes made by this patch: None.
Attachment #8374644 - Flags: approval-mozilla-beta?
Attachment #8374644 - Attachment mime type: application/x-shellscript → text/plain
(In reply to Camilo Viecco (:cviecco) from comment #21)
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Kathleen Wilson (Mozilla CA Policy
> Module Owner) needs to have NSS updated to NSS 3.16 in Firefox 29 in order
> to remove some root certificates that are using weak (1024-bit) keys. There
> was some confusion and the RTM version did not land in aurora before the
> merge (just the beta 5).

The root removals in NSS 3.16 were reverted a few weeks ago. Firefox 29 Aurora already had NSS 3.16 beta 5. The changes between beta 5 and RTM were very small bug fixes that are very low risk.

> Testing completed (on m-c, etc.): The latest version has been on m-c since
> friday (beta 5 since 2 weeks ago). We are doing these root removals in
> coordination with the CAs, who already have other roots with stronger keys
> in NSS.

This also applies to mozilla-aurora, which has had been using beta 5.

> Risk to taking this patch (and alternatives if risky): Some compatibility
> risk if there are any websites that require these removed roots.

There is basically no risk to taking this patch since the root removals were reversed.
Attachment #8374644 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
http://hg.mozilla.org/releases/mozilla-beta/rev/a7b083b7ddaa since i was confused not seeing 3.16 required in 29.0b3..
Should update to 3.16.1 before 30.0 gold.
You need to log in before you can comment on or make changes to this bug.