← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #08345

[Bug 838322] Re: DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots

  Thread PreviousDate PreviousThread Next 
Launchpad has imported 14 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=683449.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2011-08-31T08:51:01+00:00 Gervase Markham wrote:

It turns out that there are two Staat der Nederlanden roots in our root
store, and our patch only exempts one of them from the DigiNotar block
:-(( This means that a number of websites whose certs do not chain up to
the dis-trusted DigiNotar root are nevertheless having their
certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/0

------------------------------------------------------------------------
On 2011-08-31T10:09:49+00:00 Mark-janssen wrote:

Some more websites:
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/

Let me know if you need more.

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/1

------------------------------------------------------------------------
On 2011-08-31T10:38:46+00:00 Mark-janssen wrote:

Again more sites:
https://secure.valkenswaard.nl/
https://www8.eindhoven.nl/

Thanks

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/2

------------------------------------------------------------------------
On 2011-08-31T10:46:09+00:00 Gervase Markham wrote:

This bug cannot progress until the right people wake up. If we decide to
issue a further update, the turnaround time is about 24 hours.

Gerv

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/3

------------------------------------------------------------------------
On 2011-08-31T14:12:26+00:00 Ehsan-mozilla wrote:

I think I may have a patch.

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/4

------------------------------------------------------------------------
On 2011-08-31T14:14:19+00:00 Ehsan-mozilla wrote:

Created attachment 557158
Patch (v1)

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/5

------------------------------------------------------------------------
On 2011-08-31T14:14:34+00:00 Bsmith-mozilla wrote:

Created attachment 557159
WIP - Allow Staat der Nederlanden Root CA - G2 Root

This is still building on my machine.

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/6

------------------------------------------------------------------------
On 2011-08-31T14:16:25+00:00 Ehsan-mozilla wrote:

(In reply to Brian Smith (:bsmith) from comment #6)
> Created attachment 557159
> WIP - Allow Staat der Nederlanden Root CA - G2 Root
> 
> This is still building on my machine.

Same here!

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/7

------------------------------------------------------------------------
On 2011-08-31T14:24:12+00:00 Bsmith-mozilla wrote:

Comment on attachment 557159
WIP - Allow Staat der Nederlanden Root CA - G2 Root

Will use Ehsan's patch, which I will r+ as soon as it finishes building
on my machine and I can test it.

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/8

------------------------------------------------------------------------
On 2011-08-31T14:26:01+00:00 Kai Engert wrote:

Comment on attachment 557158
Patch (v1)

If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change.
r=kaie

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/9

------------------------------------------------------------------------
On 2011-08-31T14:38:10+00:00 Ehsan-mozilla wrote:

Just verified locally that the fix is working for all of the test
websites.

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/10

------------------------------------------------------------------------
On 2011-08-31T14:39:58+00:00 Ehsan-mozilla wrote:

http://hg.mozilla.org/mozilla-central/rev/e18dcb523b20

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/11

------------------------------------------------------------------------
On 2011-08-31T14:46:21+00:00 Ehsan-mozilla wrote:

I landed it on aurora, beta and 1.9.2 (not the relbranch) with johnath's
verbal approval:

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/72fd28e61b47
http://hg.mozilla.org/releases/mozilla-aurora/rev/ba929aa09503
http://hg.mozilla.org/releases/mozilla-beta/rev/6791db28b82f

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/12

------------------------------------------------------------------------
On 2011-08-31T14:58:03+00:00 Johnath wrote:

(Confirming that this has any approval flags ehsan needs it to have -
a=me)

Reply at: https://bugs.launchpad.net/firefox/+bug/838322/comments/13


** Changed in: firefox
       Status: Unknown => Fix Released

** Changed in: firefox
   Importance: Unknown => Critical

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/838322

Title:
  DigiNotar patch erroneously blocks one of the two Staat der
  Nederlanden roots

Status in The Mozilla Firefox Browser:
  Fix Released
Status in “firefox” package in Ubuntu:
  Triaged
Status in “xulrunner-1.9.2” package in Ubuntu:
  Invalid
Status in “firefox” source package in Lucid:
  In Progress
Status in “xulrunner-1.9.2” source package in Lucid:
  In Progress
Status in “firefox” source package in Maverick:
  In Progress
Status in “xulrunner-1.9.2” source package in Maverick:
  In Progress
Status in “firefox” source package in Natty:
  In Progress
Status in “xulrunner-1.9.2” source package in Natty:
  Invalid
Status in “firefox” source package in Oneiric:
  Triaged
Status in “xulrunner-1.9.2” source package in Oneiric:
  Invalid

Bug description:
  The fix for bug #837557 unfortunately had a small regression for users
  of Staat der Nederlanden sites.  One of their two root CAs was
  blocked.  An update is being prepared to fix the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/838322/+subscriptions

References

  Thread PreviousDate PreviousThread Next