Distrust new WoSign/StartCom certificates |
|||||||||
Issue descriptionAs announced at https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html For Chrome 56, the following steps should be taken: - No new certificates - Existing certificates only on a fixed whitelist of domains known to have certificates prior to the cut-off date.
,
Nov 6 2016
Issue 638668 has been merged into this issue.
,
Nov 8 2016
Issue 662282 has been merged into this issue.
,
Nov 14 2016
,
Nov 14 2016
Could you explain the label?
,
Nov 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/600f3a8217ed36654e9c10a778ca2de1480cb36a commit 600f3a8217ed36654e9c10a778ca2de1480cb36a Author: rsleevi <rsleevi@chromium.org> Date: Thu Nov 17 05:09:32 2016 Distrust new WoSign/StartCom certificates As announced at https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html BUG= 661003 R=davidben@chromium.org TEST=https://notbefore-after-21st-test.samspin.net/ does not load Review-Url: https://codereview.chromium.org/2509613002 Cr-Commit-Position: refs/heads/master@{#432755} [modify] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/cert/cert_verify_proc_whitelist.cc [modify] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/cert/cert_verify_proc_whitelist_unittest.cc [modify] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/certificates/README [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/certificates/wosign_after_oct_21.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/certificates/wosign_before_oct_21.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/README.md [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem [add] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/data/ssl/wosign/e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem [modify] https://crrev.com/600f3a8217ed36654e9c10a778ca2de1480cb36a/net/net.gypi
,
Nov 23 2016
Reply to #5: TE-NeedsTriageHelp label is added if there is no manual steps for repro/ verifying the fix. Thanks for the CL in #6. Wondering whether any pending work to be addressed in M56? If not please request a merge when all looks good. It would be great to have everything set before next Dev RC build cut @3 PM Monday 11/28.
,
Nov 23 2016
Marking this as Fixed for M-56, which CL is already part of. I've verified on Mac, Win, and Linux that this works, but if TE can double check on all platforms using the aforementioned URL, that'd be great. Additional work will be added in M-57 and M-58, but I'll track that separately, with separate tests to cover.
,
Nov 23 2016
[Auto-generated comment by a script] We noticed that this issue is targeted for M-56; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-56 label, otherwise remove Merge-TBD label. Thanks.
,
Nov 23 2016
Script broken? M56 branched at 433059, this landed at 432755
,
Nov 24 2016
Tested the fix on Ubuntu 14.0, Win 10.0 and Mac 10.11.6 using chrome version 56.0.2924.5 with the steps mentioned in Comment#6 >>TEST. As per test not able to view the provided URL. Please find the attached screen cast for the same. Adding TE-Verified labels.
,
Dec 13 2016
The Cl landed in -56.0.2924.0 , no merge required.
,
Dec 16 2016
This bug requires manual review: No test file found in commits. Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2016
This bug requires manual review: No test file found in commits. Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2016
Removing Merge flags, which made the sheriffbot unhappy, since it's already in 56 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by tarqui...@opera.com
, Nov 3 2016