NSS:CompletedFromBurnDownList: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "This page lists items that have been completed that were being tracked in the SSL Burn Down List. <table border="1"> <tr> <th>Pr</th> <th>Enhancement...")
 
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Completed from Burn Down List ==
This page lists items that have been completed that were being tracked in the [[NSS:BurnDownList | SSL Burn Down List.]]
This page lists items that have been completed that were being tracked in the [[NSS:BurnDownList | SSL Burn Down List.]]


Line 8: Line 10:
   <th>Related Bugs</th>  
   <th>Related Bugs</th>  
   <th>Dependencies</th>  
   <th>Dependencies</th>  
   <th>Level of Effort</th>
   <th>Release</th>
  <th>Status</th>
   <th>Notes</th>
   <th>Notes</th>
</tr>
<tr>
  <td>P3 NSS</td>
  <td>Support OCSP GET</td>
  <td>{{bug|436414}}</td>
  <td>Automated tests, OCSP server in NSS test tools</td>
  <td>NSS 3.15.3</td>
  <td>GET and POST are two alternative transfer mechanisms used with HTTP, and only GET can be cached, but currently NSS only supports POST.
* GET should be default, POST should be fallback in case GET fails.</td>
</tr>
<tr>
  <td>P2 NSS</td>
  <td>Implement TLS 1.2</td>
  <td>{{bug|480514}}</td>
  <td>See bug</td>
  <td>NSS 3.15.1</td>
  <td>{{Bug|861266}} - Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default.
{{Bug|707275}} - Implement SSL certificate and cipher suite telemetry.</td>
</tr>
<tr>
  <td>P2 NSS</td>
  <td>NSS Testing
* NISCC
* OCSP tests</td>
  <td></td>
  <td></td>
  <td></td>
  <td>This is important to avoid regressions in the NSS software component. In moving to libpkix we will need to make sure our testing is as complete as possible so that we don't regress anything when we fix bugs requiring tricky changes to libpkix.
Our current automated NSS testing may not be insufficient, because a lot of configuration was hidden on computers run by Sun/Oracle. </td>
  </tr>
<tr>
  <td>P3 PSM</td>
  <td>PSM changes and tests to support OCSP stapling</td>
  <td>{{bug|700693}}</td>
  <td></td>
  <td>Mozilla27</td>
  <td>Postponed from Firefox 25 due to {{bug|929617}}. </td>
</tr>
<tr>
  <td>P3 NSS</td>
  <td>Improve OCSP testing</td>
  <td>{{bug|811317}}, {{bug|663733}}</td>
  <td></td>
  <td>3.14.1</td>
  <td>Needed to test OCSP response handling in general, and OCSP stapling in particular.
* {{bug|811317}} -- Add code to create a signed OCSP response.
* {{bug|663733}} -- Better decoding of OCSP cert status, and OCSP code cleanup and "const" API changes.</td>
</tr>
<tr>
  <td></td>
  <td>Migrate NSS from CVS to Mercurial</td>
  <td>{{bug|844385}}</td>
  <td></td>
  <td></td>
  <td>Test Repositories created. Request that everyone land changes into both CVS and Mercurial/HG for now.</td>
</tr>
<tr>
  <td>P3* NSS</td>
  <td>Implement OCSP stapling</td>
  <td>{{bug|360420}}</td>
  <td>{{bug|663733}}</td>
  <td>NSS 3.14.4</td>
  <td>{{bug|700693}} - PSM preference to have OCSP stapling off by default.
</td>
</tr>
<tr>
  <td>P2 NSS</td>
  <td>Implement TLS 1.1</td>
  <td>{{bug|565047}}</td>
  <td>See bug</td>
  <td>NSS 3.14</td>
  <td> Blocks DTLS, which blocks WebRTC. NSS part needs to be landed. PSM part can be deferred, {{bug|733647}} to have Firefox use this.</td>
</tr>
<tr>
  <td>P1* PSM/Gecko</td>
  <td>Implement mechanism to prevent sending insecure requests from a secure context</td>
  <td>{{bug|62178}}</td>
  <td>See bug</td>
  <td>FF 18</td>
  <td>Determine whether showing security indicators in Firefox is really deserved. It's not deserved if a page loads insecure content. By default we shouldn't load such content, because it can leak authentication cookies, allow cross-site scripting attacks, etc.
[https://wiki.mozilla.org/Security/Features/Mixed_Content_Blocker Mozilla P2]
</td>
</tr>
<tr>
  <td>P1 PSM</td>
  <td>Fix SSL error handling regressions</td>
  <td>{{bug|783974}}</td>
  <td></td>
  <td>FF17</td>
  <td>
* {{bug|783974}} -- Log SSL errors to the error console.
* {{bug|785426}} - allow app to register callback for user feedback.
* {{bug|739563}} - no error message for SSL errors and non-overridable cert errors.
</td>
</tr>
</tr>


<tr>
<tr>
   <td>P1 NSS</td>
   <td>P1 NSS</td>
   <td>Generic blacklisting mechanism is not yet working</td>
   <td>Cannot validate valid certificate chain when looping/cross-signed certs are involved</td>
   <td>{{bug|727204}}</td>
  <td>{{bug|634074}}, {{bug|764393}}</td>
  <td></td>
  <td>FF 15, 16, 17</td>
  <td>
* Fixed the case where a trusted root has been cross signed and the cross certificate is in the path.
* Libpkix is required to fix the case of when there is a cross cert to cross cert loop.</td>
</tr>
 
<tr>
  <td>P2 NSS PSM</td>
  <td>Disable MD5 Signatures</td>
  <td>{{bug|650355}}, {{bug|590364}}</td>
  <td> {{bug|758314}}, {{bug|732390}}</td>
  <td>FF16</td>
  <td>
* {{bug|758314}} - allow user over-ride of error.
* {{bug|738454}} - Add new error code;
* {{bug|738457}} - PSM change for new error code.
* [https://wiki.mozilla.org/CA:MD5and1024 This is something that we said we would do,] and required all CAs to move their customers from MD5 by June 30, 2011. Chrome turned off MD5 support in early 2012, and found that there are still some old network products that have not updated their certs, so companies need to be able to set a preference to enable MD5 until they can get those upgraded. Wan-Teh said that the concern he raised a few years ago about there being too many MD5 intermediate certs is no longer the case.
</tr>
 
<tr>
  <td>P5 PSM</td>
  <td>Auto-Update of CRLs not working with DD.MM.YYYY date locale</td>
   <td>{{bug|682244}}</td>
   <td></td>
   <td></td>
  <td>FF14</td>
  <td>The entire automatic fetching of CRLs in PSM is completely broken and an ugly old workaround. Let's get libPKIX done (651246), which will give us automatic fetching of CRL. Once done, we can remove the auto-update CRL feature.</td>
</tr>
<tr>
  <td>P1 NSS</td>
  <td>Generic blacklisting mechanism</td>
  <td>{{bug|470994}}, {{bug|727204}}, {{bug|642503}}</td>
   <td></td>
   <td></td>
   <td>in 3.13.3</td>
   <td>NSS 3.13.3</td>
   <td>We stated that we can now block cert by issuer and serial number in NSS, and we plan to add the Trustwave subCA to this list. Any branch that desires this blocking ability will have to upgrade to a newer NSS release with this bug fixed, which will be NSS 3.13.3 at the earliest. </td>
   <td>We can now block cert by issuer and serial number in NSS, and the Trustwave subCA certs have been added to this list. Any branch that desires this blocking ability will have to upgrade to a newer NSS release with this bug fixed, which will be NSS 3.13.3 at the earliest. </td>
</tr>
</tr>


Line 28: Line 166:
   <td>{{bug|710176}}</td>
   <td>{{bug|710176}}</td>
   <td></td>
   <td></td>
   <td>Hopefully small!</td>
   <td>FF 11</td>
  <td>Resolved Fixed</td>
   <td>Regression from landing SSL thread removal, probably</td>
   <td>Regression from landing SSL thread removal, probably</td>
</tr>
</tr>
Line 37: Line 174:
   <td></td>
   <td></td>
   <td></td>
   <td></td>
  <td></td>
   <td></td>  
   <td></td>  
   <td></td>
   <td></td>
Line 44: Line 180:


<tr>
<tr>
  <td></td>
   <td></td>
   <td></td>
   <td></td>
   <td></td>

Latest revision as of 20:07, 23 October 2013

Completed from Burn Down List

This page lists items that have been completed that were being tracked in the SSL Burn Down List.

Pr Enhancement Related Bugs Dependencies Release Notes
P3 NSS Support OCSP GET bug 436414 Automated tests, OCSP server in NSS test tools NSS 3.15.3 GET and POST are two alternative transfer mechanisms used with HTTP, and only GET can be cached, but currently NSS only supports POST.
  • GET should be default, POST should be fallback in case GET fails.
P2 NSS Implement TLS 1.2 bug 480514 See bug NSS 3.15.1 bug 861266 - Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default. bug 707275 - Implement SSL certificate and cipher suite telemetry.
P2 NSS NSS Testing
  • NISCC
  • OCSP tests
 This is important to avoid regressions in the NSS software component. In moving to libpkix we will need to make sure our testing is as complete as possible so that we don't regress anything when we fix bugs requiring tricky changes to libpkix. Our current automated NSS testing may not be insufficient, because a lot of configuration was hidden on computers run by Sun/Oracle.
P3 PSM PSM changes and tests to support OCSP stapling bug 700693 Mozilla27 Postponed from Firefox 25 due to bug 929617.
P3 NSS Improve OCSP testing bug 811317, bug 663733 3.14.1 Needed to test OCSP response handling in general, and OCSP stapling in particular.
  • bug 811317 -- Add code to create a signed OCSP response.
  • bug 663733 -- Better decoding of OCSP cert status, and OCSP code cleanup and "const" API changes.
Migrate NSS from CVS to Mercurial bug 844385 Test Repositories created. Request that everyone land changes into both CVS and Mercurial/HG for now.
P3* NSS Implement OCSP stapling bug 360420 bug 663733 NSS 3.14.4 bug 700693 - PSM preference to have OCSP stapling off by default.
P2 NSS Implement TLS 1.1 bug 565047 See bug NSS 3.14 Blocks DTLS, which blocks WebRTC. NSS part needs to be landed. PSM part can be deferred, bug 733647 to have Firefox use this.
P1* PSM/Gecko Implement mechanism to prevent sending insecure requests from a secure context bug 62178 See bug FF 18 Determine whether showing security indicators in Firefox is really deserved. It's not deserved if a page loads insecure content. By default we shouldn't load such content, because it can leak authentication cookies, allow cross-site scripting attacks, etc.

Mozilla P2

P1 PSM Fix SSL error handling regressions bug 783974 FF17
  • bug 783974 -- Log SSL errors to the error console.
  • bug 785426 - allow app to register callback for user feedback.
  • bug 739563 - no error message for SSL errors and non-overridable cert errors.
P1 NSS Cannot validate valid certificate chain when looping/cross-signed certs are involved bug 634074, bug 764393 FF 15, 16, 17
  • Fixed the case where a trusted root has been cross signed and the cross certificate is in the path.
  • Libpkix is required to fix the case of when there is a cross cert to cross cert loop.
P2 NSS PSM Disable MD5 Signatures bug 650355, bug 590364 bug 758314, bug 732390 FF16
  • bug 758314 - allow user over-ride of error.
  • bug 738454 - Add new error code;
  • bug 738457 - PSM change for new error code.
  • This is something that we said we would do, and required all CAs to move their customers from MD5 by June 30, 2011. Chrome turned off MD5 support in early 2012, and found that there are still some old network products that have not updated their certs, so companies need to be able to set a preference to enable MD5 until they can get those upgraded. Wan-Teh said that the concern he raised a few years ago about there being too many MD5 intermediate certs is no longer the case.
P5 PSM Auto-Update of CRLs not working with DD.MM.YYYY date locale bug 682244 FF14 The entire automatic fetching of CRLs in PSM is completely broken and an ugly old workaround. Let's get libPKIX done (651246), which will give us automatic fetching of CRL. Once done, we can remove the auto-update CRL feature.
P1 NSS Generic blacklisting mechanism bug 470994, bug 727204, bug 642503 NSS 3.13.3 We can now block cert by issuer and serial number in NSS, and the Trustwave subCA certs have been added to this list. Any branch that desires this blocking ability will have to upgrade to a newer NSS release with this bug fixed, which will be NSS 3.13.3 at the earliest.
P1 NSS PSM Something in networking and/or SSL layer takes lots of processing power bug 710176 FF 11 Regression from landing SSL thread removal, probably
Retrieved from "https://wiki.mozilla.org/index.php?title=NSS:CompletedFromBurnDownList&oldid=735601"