diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 44b2c9d21040..d65467c43a9e 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -96,6 +96,14 @@ pref("app.update.log", false); // the failure. pref("app.update.backgroundMaxErrors", 10); +// The aus update xml certificate checks for application update are disabled on +// Windows since the mar signature check which is currently only implemented on +// Windows is sufficient for preventing us from applying a mar that is not +// valid. +#ifdef XP_WIN +pref("app.update.cert.requireBuiltIn", false); +pref("app.update.cert.checkAttributes", false); +#else // When |app.update.cert.requireBuiltIn| is true or not specified the // final certificate and all certificates the connection is redirected to before // the final certificate for the url specified in the |app.update.url| @@ -144,6 +152,7 @@ pref("app.update.certs.1.commonName", "aus3.mozilla.org"); pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US"); pref("app.update.certs.2.commonName", "aus3.mozilla.org"); #endif +#endif // Whether or not app updates are enabled pref("app.update.enabled", true); diff --git a/browser/metro/profile/metro.js b/browser/metro/profile/metro.js index 7b6bb17e02e3..a66360a8343a 100644 --- a/browser/metro/profile/metro.js +++ b/browser/metro/profile/metro.js @@ -489,52 +489,22 @@ pref("app.update.log", false); // the failure. pref("app.update.backgroundMaxErrors", 10); +// The aus update xml certificate checks for application update are disabled on +// Windows since the mar signature check which is currently only implemented on +// Windows is sufficient for preventing us from applying a mar that is not +// valid. + // When |app.update.cert.requireBuiltIn| is true or not specified the // final certificate and all certificates the connection is redirected to before // the final certificate for the url specified in the |app.update.url| // preference must be built-in. -pref("app.update.cert.requireBuiltIn", true); +pref("app.update.cert.requireBuiltIn", false); // When |app.update.cert.checkAttributes| is true or not specified the // certificate attributes specified in the |app.update.certs.| preference branch // are checked against the certificate for the url specified by the // |app.update.url| preference. -pref("app.update.cert.checkAttributes", true); - -// The number of certificate attribute check failures to allow for background -// update checks before notifying the user of the failure. User initiated update -// checks always notify the user of the certificate attribute check failure. -pref("app.update.cert.maxErrors", 5); - -// The |app.update.certs.| preference branch contains branches that are -// sequentially numbered starting at 1 that contain attribute name / value -// pairs for the certificate used by the server that hosts the update xml file -// as specified in the |app.update.url| preference. When these preferences are -// present the following conditions apply for a successful update check: -// 1. the uri scheme must be https -// 2. the preference name must exist as an attribute name on the certificate and -// the value for the name must be the same as the value for the attribute name -// on the certificate. -// If these conditions aren't met it will be treated the same as when there is -// no update available. This validation will not be performed when the -// |app.update.url.override| user preference has been set for testing updates or -// when the |app.update.cert.checkAttributes| preference is set to false. Also, -// the |app.update.url.override| preference should ONLY be used for testing. -// IMPORTANT! firefox.js should also be updated for updates to certs.X.issuerName - -// Non-release builds (Nightly, Aurora, etc.) have been switched over to aus4.mozilla.org. -// This condition protects us against accidentally using it for release builds. -#ifndef RELEASE_BUILD -pref("app.update.certs.1.issuerName", "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"); -pref("app.update.certs.1.commonName", "aus4.mozilla.org"); -pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US"); -pref("app.update.certs.2.commonName", "aus4.mozilla.org"); -#else -pref("app.update.certs.1.issuerName", "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"); -pref("app.update.certs.1.commonName", "aus3.mozilla.org"); -pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US"); -pref("app.update.certs.2.commonName", "aus3.mozilla.org"); -#endif +pref("app.update.cert.checkAttributes", false); // User-settable override to app.update.url for testing purposes. //pref("app.update.url.override", ""); diff --git a/toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul b/toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul index 7cdc6885894e..3b0aabfe80fe 100644 --- a/toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul +++ b/toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul @@ -81,6 +81,9 @@ function testXHRLoad(aEvent) { aCertAttrName, cert[aCertAttrName]); }); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, true); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, false); + let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" + getVersionParams(); gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL); diff --git a/toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul b/toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul index 816ff8851dc8..8c56898b1105 100644 --- a/toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul +++ b/toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul @@ -82,6 +82,7 @@ function testXHRLoad(aEvent) { }); Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true); let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" + getVersionParams(); diff --git a/toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul b/toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul index 407356e50006..1da1d6d98a0a 100644 --- a/toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul +++ b/toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul @@ -35,6 +35,8 @@ function runTest() { Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME, "Invalid Attribute Name"); Services.prefs.setIntPref(PREF_APP_UPDATE_CERT_ERRORS, 1); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true); let url = "https://example.com/" + URL_PATH + "/update.sjs?noUpdates=1"; gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL); diff --git a/toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul b/toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul index 6f25d6d88ff7..6089cf69c439 100644 --- a/toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul +++ b/toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul @@ -35,6 +35,8 @@ function runTest() { Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME, "Invalid Attribute Name"); Services.prefs.setIntPref(PREF_APP_UPDATE_CERT_ERRORS, 1); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true); let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" + getVersionParams(); diff --git a/toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul b/toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul index 5856e27c0142..c69b703569ae 100644 --- a/toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul +++ b/toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul @@ -32,6 +32,8 @@ function runTest() { Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME, "Invalid Attribute Name"); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true); let url = "https://example.com/" + URL_PATH + "/update.sjs?noUpdates=1"; gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL); diff --git a/toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul b/toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul index fee89b12e246..c296c8f1be43 100644 --- a/toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul +++ b/toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul @@ -32,6 +32,8 @@ function runTest() { Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME, "Invalid Attribute Name"); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false); + Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true); let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" + getVersionParams();