NSS:CompletedFromBurnDownList: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 10: Line 10:
   <th>Release</th>
   <th>Release</th>
   <th>Notes</th>
   <th>Notes</th>
</tr>
<tr>
  <td>P3* NSS</td>
  <td>Implement OCSP stapling</td>
  <td>{{bug|360420}}</td>
  <td>{{bug|663733}}</td>
  <td>NSS 3.14.4</td>
  <td>{{bug|700693}} - PSM preference to have OCSP stapling off by default.
</td>
</tr>
</tr>


Revision as of 17:35, 28 February 2013

This page lists items that have been completed that were being tracked in the SSL Burn Down List.

Pr Enhancement Related Bugs Dependencies Release Notes
P3* NSS Implement OCSP stapling bug 360420 bug 663733 NSS 3.14.4 bug 700693 - PSM preference to have OCSP stapling off by default.
P2 NSS Implement TLS 1.1 bug 565047 See bug NSS 3.14 Blocks DTLS, which blocks WebRTC. NSS part needs to be landed. PSM part can be deferred, bug 733647 to have Firefox use this.
P1* PSM/Gecko Implement mechanism to prevent sending insecure requests from a secure context bug 62178 See bug FF 18 Determine whether showing security indicators in Firefox is really deserved. It's not deserved if a page loads insecure content. By default we shouldn't load such content, because it can leak authentication cookies, allow cross-site scripting attacks, etc.

Mozilla P2

P1 PSM Fix SSL error handling regressions bug 783974 FF17
  • bug 783974 -- Log SSL errors to the error console.
  • bug 785426 - allow app to register callback for user feedback.
  • bug 739563 - no error message for SSL errors and non-overridable cert errors.
P1 NSS Cannot validate valid certificate chain when looping/cross-signed certs are involved bug 634074, bug 764393 FF 15, 16, 17
  • Fixed the case where a trusted root has been cross signed and the cross certificate is in the path.
  • Libpkix is required to fix the case of when there is a cross cert to cross cert loop.
P2 NSS PSM Disable MD5 Signatures bug 650355, bug 590364 bug 758314, bug 732390 FF16
  • bug 758314 - allow user over-ride of error.
  • bug 738454 - Add new error code;
  • bug 738457 - PSM change for new error code.
  • This is something that we said we would do, and required all CAs to move their customers from MD5 by June 30, 2011. Chrome turned off MD5 support in early 2012, and found that there are still some old network products that have not updated their certs, so companies need to be able to set a preference to enable MD5 until they can get those upgraded. Wan-Teh said that the concern he raised a few years ago about there being too many MD5 intermediate certs is no longer the case.
P5 PSM Auto-Update of CRLs not working with DD.MM.YYYY date locale bug 682244 FF14 The entire automatic fetching of CRLs in PSM is completely broken and an ugly old workaround. Let's get libPKIX done (651246), which will give us automatic fetching of CRL. Once done, we can remove the auto-update CRL feature.
P1 NSS Generic blacklisting mechanism bug 470994, bug 727204, bug 642503 NSS 3.13.3 We can now block cert by issuer and serial number in NSS, and the Trustwave subCA certs have been added to this list. Any branch that desires this blocking ability will have to upgrade to a newer NSS release with this bug fixed, which will be NSS 3.13.3 at the earliest.
P1 NSS PSM Something in networking and/or SSL layer takes lots of processing power bug 710176 FF 11 Regression from landing SSL thread removal, probably
Retrieved from "https://wiki.mozilla.org/index.php?title=NSS:CompletedFromBurnDownList&oldid=532509"