Bug 1441223 added MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED to be emitted when we hit certificates affected by the Symantec distrust. Some sites are still emitting SEC_ERROR_UNKNOWN_ISSUER if they have multiple certificate trust paths possible, but one is unknown. This error really should be fatal -- perhaps like Bug 1437214. This affects 60, and is confusing for writing documentation (Bug 1444427). If it's a reasonable patch, we might want to uplift this into 60. [1] https://tlscanary.mozilla.org/runs/2018-03-08-10-41-46/index.htm

Is there a reason why we can't issue an error like ERR_CERT_SYMANTEC_LEGACY? (assuming we adjust the prefix to fit into our error hierarchy)

(In reply to Selena Deckelmann :selenamarie :selena use ni? pronoun: she from comment #1) > Is there a reason why we can't issue an error like ERR_CERT_SYMANTEC_LEGACY? > (assuming we adjust the prefix to fit into our error hierarchy) Only that we wanted to be able to re-use this error for future distrust-by-policy events, since adding errors is more work than it really should be. If we had the special error page from Bug 1441959, it might be more clear.

Comment on attachment 8959029 [details] Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler David Keeler [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D734

Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/98125ba99b69 Ensure the correct error is emitted for policy distrusts r=keeler

Looks like this bug won a perf improvement, though I don't see any clear connections. Please state whether it makes sense or not, as Strings * tests are very sensitive and noisy. == Change summary for alert #12298 (as of Tue, 20 Mar 2018 15:11:49 GMT) == Improvements: 13% Strings PerfStripCharsWhitespace osx-10-10 opt 342,711.17 -> 298,132.50 For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=12298

This would not have contributed to a performance improvement for string processing code (unless it's something esoteric and hand-wavey like "cache alignment").

Comment on attachment 8959029 [details] Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler Approval Request Comment [Feature/Bug causing the regression]: Bug 1441223 [User impact if declined]: Sometimes the Symantec policy error will be "unknown issuer" incorrectly, which may be confusing to the users. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes, since Wednesday 21 March. [Needs manual test from QE? If yes, steps to reproduce]: No, and it's being exercised by the TLS Canary (tlscanary.mozilla.org) [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: Medium-low risk [Why is the change risky/not risky?]: It's a small patch, in code well covered by tests, but that code is our cert verification code. There cannot exist a low-risk change to that code, as it's security critical. Still, we've high confidence in the algorithm changes, and it's got tests. [String changes made/needed]: No changes needed.

Comment on attachment 8959029 [details] Bug 1444440 - Ensure the correct error is emitted for policy distrusts r?keeler better error for the symantec distrust in some cases, beta60+