John M. Schanck
06c7606fd3
Bug 1803704 - Disable EV Treatment for "Network Solutions Certificate Authority". r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D163735
2022-12-02 18:41:39 +00:00
Dana Keeler
c6dce08962
Bug 1799040 - disable EV treatment for "Staat der Nederlanden EV Root CA" r=jschanck
...
Differential Revision: https://phabricator.services.mozilla.com/D161527
2022-11-07 21:48:56 +00:00
Mike Hommey
969d7bb6fd
Bug 1795219 - Remove -Wall setup in security/{ct,certverifier}/moz.build. r=firefox-build-system-reviewers,andi
...
The use of `-Xclang -Wall` somehow makes `-Wno-unknown-pragmas`
ineffective. `-Xclang -Wno-unknown-pragmas` does however work.
But we don't need to set `-Xclang -Wall` from the moz.builds in the first
place, as that's already done properly via warnings.configure (setting
-Wall on non-clang-cl and -W3 on clang-cl, which is the equivalent).
Differential Revision: https://phabricator.services.mozilla.com/D159366
2022-10-17 21:55:03 +00:00
John Schanck
59119c81d9
Bug 1794479 - Gather telemetry on the age of OCSP responses used to override CRLite. r=keeler
...
Defines the OCSP_AGE_AT_CRLITE_OVERRIDE histogram which records the age of an
OCSP response, in hours, when CRLite says a certificate is revoked and OCSP
says it's OK.
Differential Revision: https://phabricator.services.mozilla.com/D158991
2022-10-13 14:08:23 +00:00
John Schanck
e2bc1afa4f
Bug 1794450 - Gather telemetry on use of revocation checking mechanisms. r=keeler
...
Adds the CERT_REVOCATION_MECHANISMS histogram with bins "CRLite", "Stapled OCSP", "Cached OCSP", "OCSP", "OneCRL", and "Short Validity" to gauge how often we use each certificate revocation checking mechanisms. The Short Validity bin counts cases where a revocation check was not performed because the certificate had a short validity period. The other bin names are self-explanatory. We may use more than one mechanism per certificate, so we may accumulate to more than one bin per certificate.
Differential Revision: https://phabricator.services.mozilla.com/D158975
2022-10-12 21:05:08 +00:00
Dennis Jackson
a0e440195f
Bug 1788290 - Record whether OCSP requests were made whilst making a TLS connection. r=keeler,necko-reviewers.
...
Differential Revision: https://phabricator.services.mozilla.com/D156105
2022-09-02 20:59:34 +00:00
Butkovits Atila
7fed5a7ef2
Backed out 3 changesets (bug 1788290) for causing build bustages. CLOSED TREE
...
Backed out changeset 52d5a06be477 (bug 1788290)
Backed out changeset a3b5d214b5d4 (bug 1788290)
Backed out changeset e94a38b79965 (bug 1788290)
2022-09-02 19:13:34 +03:00
Dennis Jackson
0e389c049e
Bug 1788290 - Record whether OCSP requests were made whilst making a TLS connection. r=keeler,necko-reviewers.
...
Differential Revision: https://phabricator.services.mozilla.com/D156105
2022-09-02 14:16:07 +00:00
Dana Keeler
b4c45d4248
Bug 1781104 - remove unnecessary bits parameter from nsICertOverrideService r=djackson,necko-reviewers,geckoview-reviewers,extension-reviewers,kershaw,calu
...
Differential Revision: https://phabricator.services.mozilla.com/D152826
2022-08-26 18:48:38 +00:00
Fabrice Desré
c50cb528fc
Bug 1761040 - Prefix thread safety macros with MOZ_ r=geckoview-reviewers,media-playback-reviewers,alwu,jesup,m_kato
...
Differential Revision: https://phabricator.services.mozilla.com/D152575
2022-08-03 16:39:41 +00:00
Andreea Pavel
3ccd75af8d
Backed out changeset b9d2965591b9 (bug 1761040) for landing with wrong author CLOSED TREE DONTBUILD
2022-08-03 18:55:00 +03:00
Andreea Pavel
fdb7cb2ecd
Bug 1761040 - Prefix thread safety macros with MOZ_ r=geckoview-reviewers,media-playback-reviewers,alwu,jesup,m_kato
...
Differential Revision: https://phabricator.services.mozilla.com/D152575
2022-08-03 15:27:43 +00:00
Andreea Pavel
89d63c91e6
Backed out changeset a907159a482f (bug 1761040) for causing build bustages on a CLOSED TREE
2022-08-02 04:59:08 +03:00
Fabrice Desré
0f4ac7ad97
Bug 1761040 - Prefix thread safety macros with MOZ_ r=geckoview-reviewers,media-playback-reviewers,alwu,jesup,m_kato
...
Differential Revision: https://phabricator.services.mozilla.com/D152575
2022-08-02 00:49:41 +00:00
Dana Keeler
270df11f4c
Bug 1770269 - Enable EV Treatment for E-Tugra v3 Global root certificates r=rmf
...
Differential Revision: https://phabricator.services.mozilla.com/D151749
2022-07-19 22:16:34 +00:00
Dana Keeler
2985f72f3a
Bug 1764397 - Enable EV Treatment for Digicert G5 root certificates r=rmf
...
Differential Revision: https://phabricator.services.mozilla.com/D151748
2022-07-19 22:16:33 +00:00
serge-sans-paille
b122b6d13d
Bug 1774865 - extra cleanup mozglue, security, intl and netwerk includes r=sylvestre
...
Differential Revision: https://phabricator.services.mozilla.com/D149670
2022-06-22 09:51:52 +00:00
Dana Keeler
aa7979464f
Bug 1769150
- try all known EV policy OIDs found in a certificate when verifying for EV r=jschanck
...
Before this patch, the certificate verifier would only attempt to build a
trusted path to a root with the first recognized EV OID in the end-entity
certificate. Thus, if an end-entity certificate had more than one EV OID, it
could fail to verify as EV if an intermediate or root had the "wrong" EV OID.
This patch addresses this shortcoming by trying to build a path with each
recognized EV OID in the end-entity certificate until it finds one that works.
Differential Revision: https://phabricator.services.mozilla.com/D149319
2022-06-15 18:20:13 +00:00
John Schanck
0c18bdf797
Bug 1773371 - Enforce CRLite revoked status when OCSP confirmation fails. r=keeler
...
This changes the behavior of CRLite when configured in `ConfirmRevocations`
mode (the default mode on nightly and early beta). Under the new definition,
ConfirmRevocations mode fails closed when OCSP fails open. In particular, a
certificate will be marked as "Revoked" in the following scenarios:
- CRLite returns "Revoked" and the certificate does not list an OCSP URL,
- CRLite returns "Revoked" and the OCSP responder is unreachable,
- CRLite returns "Revoked" and the OCSP responder returns an error.
Differential Revision: https://phabricator.services.mozilla.com/D148686
2022-06-10 16:31:39 +00:00
Dana Keeler
658b880816
Bug 1769669 - require specifying the trusted root in content signature verifier r=jschanck,leplatrem,robwu,barret
...
Before this patch, the content signature verifier
(nsIContentSignatureVerifier/ContentSignatureVerifier) would identify the root
it trusted based on the value of a preference. This patch changes the
implementation to require a specified hard-coded root to trust as with add-on
signature verification.
Depends on D146644
Differential Revision: https://phabricator.services.mozilla.com/D146645
2022-06-03 23:26:28 +00:00
Dana Keeler
3945602079
Bug 1766687 - remove support for SHA1 signatures in all certificates (including imported roots) r=jschanck
...
Previously [0], support for SHA1 signatures in certificates was disabled by
default, except for certificates issued by imported roots. Chrome had a similar
policy, but this was removed in 71 [1]. Telemetry [2] indicates that some users
do still encounter SHA1 signatures at a fraction of the rate of overall
certificate errors, so forbidding all SHA1 signatures should have minimal
compatibility impact.
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
[1] https://chromeenterprise.google/policies/#EnableSha1ForLocalAnchors
[2] https://mzl.la/3kg5J4j
Differential Revision: https://phabricator.services.mozilla.com/D144870
2022-06-01 17:01:56 +00:00
Noemi Erli
aca984c8a8
Backed out changeset 8ef044a6a1fe (bug 1766687) for causing bustage in NSSCertDBTrustDomain.cpp
2022-06-01 02:35:17 +03:00
Dana Keeler
527bfba679
Bug 1766687 - remove support for SHA1 signatures in all certificates (including imported roots) r=jschanck
...
Previously [0], support for SHA1 signatures in certificates was disabled by
default, except for certificates issued by imported roots. Chrome had a similar
policy, but this was removed in 71 [1]. Telemetry [2] indicates that some users
do still encounter SHA1 signatures at a fraction of the rate of overall
certificate errors, so forbidding all SHA1 signatures should have minimal
compatibility impact.
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
[1] https://chromeenterprise.google/policies/#EnableSha1ForLocalAnchors
[2] https://mzl.la/3kg5J4j
Differential Revision: https://phabricator.services.mozilla.com/D144870
2022-05-31 20:24:33 +00:00
Dana Keeler
6df4b335aa
Bug 1767489 - disable sha-1 signatures in certificates by default r=jschanck
...
Bug 1766687 will remove support for sha-1 signatures in certificates entirely.
This patch will disable sha-1 via the preference and ride the trains first, to
allow time for any organizations that somehow still use certificates with sha-1
signatures to re-sign them.
Differential Revision: https://phabricator.services.mozilla.com/D145359
2022-05-06 21:07:44 +00:00
John Schanck
6028a138e9
Bug 1691122 - Remove subject common name fallback support in CertVerifier. r=keeler,necko-reviewers,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D143808
2022-04-28 19:48:06 +00:00
Butkovits Atila
94e2a597f6
Backed out changeset 0599b2a0913a (bug 1691122) for causing failures at test_peerConnection_basicAudioNATRelayTLS.html. CLOSED TREE
2022-04-28 03:58:05 +03:00
John Schanck
ea5479a8d7
Bug 1691122 - Remove subject common name fallback support in CertVerifier. r=keeler,necko-reviewers,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D143808
2022-04-27 20:57:31 +00:00
John Schanck
86bd5cb77a
Bug 1765012 - expire CRLite filters after 10 days. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D144619
2022-04-27 17:15:06 +00:00
Dana Keeler
334c8697f7
Bug 1758652 - avoid creating CERTCertificates in IsCertBuiltInRoot, rework saving intermediates r=jschanck
...
Differential Revision: https://phabricator.services.mozilla.com/D143647
2022-04-14 20:52:07 +00:00
Dana Keeler
e2267a307d
Bug 1735386 - adjust revocation checking for EV certificate intermediates to match Baseline Requirements r=jschanck
...
The Baseline Requirements no longer require an OCSP URI for EV certificate
intermediates. Since OneCRL covers intermediates anyways, OCSP checking for
intermediates can be skipped entirely.
Differential Revision: https://phabricator.services.mozilla.com/D142369
2022-03-30 01:35:26 +00:00
Masatoshi Kimura
d96d03d487
Bug 1761438 - Stop using 8.3 names in PSM. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D142051
2022-03-26 00:52:07 +00:00
John Schanck
09350fa150
Bug 1754896 - Enable EV Treatment for D-TRUST EV Root CA 1 2020. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D142141
2022-03-25 21:26:17 +00:00
Dana Keeler
7cd23429ff
Bug 1088140 - support RSA-PSS signatures on certificates in the certificate verifier r=jschanck
...
Differential Revision: https://phabricator.services.mozilla.com/D141780
2022-03-24 21:34:21 +00:00
Randell Jesup
08b1e68cb1
Bug 1207753 - security/certverifier thread-safety annotations r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D131878
2022-03-21 20:06:01 +00:00
Randell Jesup
fcaf70841e
Bug 1207753 - Add MOZ_UNANNOTATED to all Mutexes/Monitors r=nika,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D140849
2022-03-16 18:47:08 +00:00
Noemi Erli
2390d257e6
Backed out changeset 12a59e5a50bf (bug 1207753) for causing build bustage CLOSED TREE
2022-03-16 18:32:51 +02:00
Randell Jesup
4b033a5256
Bug 1207753 - Add MOZ_UNANNOTATED to all Mutexes/Monitors r=nika,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D140849
2022-03-16 16:16:14 +00:00
Butkovits Atila
927ad62c6a
Backed out changeset a68ee4b09f92 (bug 1207753) for causing Hazard bustages. CLOSED TREE
2022-03-16 14:38:14 +02:00
Randell Jesup
7d4b5fae04
Bug 1207753 - Add MOZ_UNANNOTATED to all Mutexes/Monitors r=nika,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D140849
2022-03-16 12:01:14 +00:00
Dana Keeler
3f93068a72
Bug 1756061 - PSM changes corresponding to mozilla::pkix signature verification changes in bug 1755092
r=jschanck
...
Bug 1755092
changed how mozilla::pkix verifies signatures. This patch makes the
corresponding changes in PSM.
Depends on D140597
Differential Revision: https://phabricator.services.mozilla.com/D139202
2022-03-10 23:21:00 +00:00
Jens Stutte
8dc1e5affa
Bug 1750635: Substitute AppShutdown:IsShuttingDown with equivalent AppShutdown::IsInOrBeyond. r=florian,xpcom-reviewers,nika
...
Differential Revision: https://phabricator.services.mozilla.com/D139143
2022-02-18 19:35:13 +00:00
John Schanck
2654fbb629
Bug 1753071 - Add a "confirm revocations" mode to CRLite. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D137553
2022-02-14 18:55:21 +00:00
John Schanck
3fa9218df2
Bug 1747959 - Take module list lock in FindRootsWithSubject. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D138061
2022-02-07 21:39:20 +00:00
John Schanck
211bff8723
Bug 1747320 - Only query CRLite on covered certificates. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D134566
2022-01-20 18:09:24 +00:00
Norisz Fay
4475b51bcb
Backed out changeset d4a6f5cb9b3f (bug 1747320) for breaking connectivity with many https sites (bug 1750188) a=backout
2022-01-14 15:15:26 +02:00
John Schanck
e4407de1ad
Bug 1747320 - Only query CRLite on covered certificates. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D134566
2022-01-13 19:27:46 +00:00
Dana Keeler
b33a35a704
Bug 1746529 - only create CERTCertificates on the socket thread in certificate verification r=jschanck
...
Differential Revision: https://phabricator.services.mozilla.com/D134188
2022-01-03 23:57:46 +00:00
John Schanck
60b9669261
Bug 1745519 - Enable EV Treatment for NetLock Arany (Class Gold) Főtanúsítvány root certificate. r=keeler
...
Depends on D133688
Differential Revision: https://phabricator.services.mozilla.com/D133689
2021-12-22 00:04:04 +00:00
John Schanck
c4e9fd647f
Bug 1741932 - Enable EV Treatment for the renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. r=keeler
...
Depends on D133687
Differential Revision: https://phabricator.services.mozilla.com/D133688
2021-12-22 00:04:03 +00:00
John Schanck
317db5ba4f
Bug 1740099 - Enable EV Treatment for iTrusChina vTrus Root CA and vTrus ECC Root CA. r=keeler
...
Depends on D133686
Differential Revision: https://phabricator.services.mozilla.com/D133687
2021-12-22 00:04:03 +00:00