Closed Bug 1442042 Opened 6 years ago Closed 5 years ago

Gradual roll-out of TLS 1.3 on release channel (59)

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox59 + verified

People

(Reporter: rhelmer, Assigned: rhelmer)

References

(
URL
)

Details

(Whiteboard: [psm-assigned])

Attachments

(4 files, 15 obsolete files)

Testing notes for QA
1.17 KB, text/plain
Details
Update XML files for QA
425 bytes, text/xml
Details
TLS 1.3 roll-out SAO v9 (unsigned) - 95%
1.92 KB, application/x-xpinstall
Details
TLS 1.3 roll-out SAO v9 (signed) - 95%
6.06 KB, application/x-xpinstall
wezhou
: review+
Details 
We want to do a gradual roll-out of TLS 1.3 to the release channel.

This is controlled using a "security.tls.version.max" pref, which is currently 3 (TLS 1.2) on release and 4 (TLS 1.3) on beta/nightly.

The plan is to use a system add-on (SAO) update, and to initially roll out to 10% of users. Due to limitations around the throttling feature on the (balrog) server-side, the easiest route is to make the determination of whether or not to enable TLS 1.3 inside the add-on.
A couple more issues here.  rhelmer, Can you make a PI request (https://mana.mozilla.org/wiki/display/PI/PI+Request) for QE to test once we have the add-on and balrog configuration?  

ekr:  will there be a blog post or anything else (say, on MDN) about the change that we can link to from release notes? I'd like to include this in release notes even though we're rolling out the change gradually. It helps to have some deeper explanation available.
Flags: needinfo?(rhelmer)
Flags: needinfo?(ekr)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #1)
> A couple more issues here.  rhelmer, Can you make a PI request
> (https://mana.mozilla.org/wiki/display/PI/PI+Request) for QE to test once we
> have the add-on and balrog configuration?  


Done.
Flags: needinfo?(rhelmer)
Attached file TLS 1.3 roll-out SAO v1 (obsolete) — 
Jason, could you please sign this system add-on update? Thanks!
Attachment #8956147 - Flags: feedback?(jthomas)
Flags: needinfo?(wezhou)
Attachment #8956147 - Flags: feedback?(jthomas) → feedback?(wezhou)
Flags: needinfo?(wezhou)
Attached file TLS 1.3 roll-out SAO v1 (signed) (obsolete) — 
Signed file attached. Please test.
Attachment #8956175 - Flags: feedback+
Attachment #8956147 - Flags: feedback?(wezhou) → feedback+
(In reply to :wezhou from comment #4)
> Created attachment 8956175 [details]
> signed.8956147.xpi
> 
> Signed file attached. Please test.

Quick question: With the System Addon Update (SAO) process, does bootstrap.js run once ? I assume so - otherwise this code seems to be a 10% chance to enable TLS1.3 every time you startup, which doesn't sound like what we want from comment 0. Just checking...
(In reply to Paul Theriault [:pauljt] from comment #5)
> (In reply to :wezhou from comment #4)
> > Created attachment 8956175 [details]
> > signed.8956147.xpi
> > 
> > Signed file attached. Please test.
> 
> Quick question: With the System Addon Update (SAO) process, does
> bootstrap.js run once ? I assume so - otherwise this code seems to be a 10%
> chance to enable TLS1.3 every time you startup, which doesn't sound like
> what we want from comment 0. Just checking...

This does run on every startup, but the seed used is always the string (client ID + the addon ID), both of which persist across browser sessions.

That said, I don't think there's any reason we couldn't move this to the install method so it just runs once. The decision shouldn't ever change across different startups unless we change the addon ID, in which case it'll require an install of a new add-on anyway.
(In reply to Robert Helmer [:rhelmer] from comment #6)
> (In reply to Paul Theriault [:pauljt] from comment #5)
> > (In reply to :wezhou from comment #4)
> > > Created attachment 8956175 [details]
> > > signed.8956147.xpi
> > > 
> > > Signed file attached. Please test.
> > 
> > Quick question: With the System Addon Update (SAO) process, does
> > bootstrap.js run once ? I assume so - otherwise this code seems to be a 10%
> > chance to enable TLS1.3 every time you startup, which doesn't sound like
> > what we want from comment 0. Just checking...
> 
> This does run on every startup, but the seed used is always the string
> (client ID + the addon ID), both of which persist across browser sessions.
> 
> That said, I don't think there's any reason we couldn't move this to the
> install method so it just runs once. The decision shouldn't ever change
> across different startups unless we change the addon ID, in which case it'll
> require an install of a new add-on anyway.

Ah ok, makes sense. Whatever think is a fair thing - I didn't realize the seed was persistent.
(In reply to Paul Theriault [:pauljt] from comment #7)
> (In reply to Robert Helmer [:rhelmer] from comment #6)
> > (In reply to Paul Theriault [:pauljt] from comment #5)
> > > (In reply to :wezhou from comment #4)
> > > > Created attachment 8956175 [details]
> > > > signed.8956147.xpi
> > > > 
> > > > Signed file attached. Please test.
> > > 
> > > Quick question: With the System Addon Update (SAO) process, does
> > > bootstrap.js run once ? I assume so - otherwise this code seems to be a 10%
> > > chance to enable TLS1.3 every time you startup, which doesn't sound like
> > > what we want from comment 0. Just checking...
> > 
> > This does run on every startup, but the seed used is always the string
> > (client ID + the addon ID), both of which persist across browser sessions.
> > 
> > That said, I don't think there's any reason we couldn't move this to the
> > install method so it just runs once. The decision shouldn't ever change
> > across different startups unless we change the addon ID, in which case it'll
> > require an install of a new add-on anyway.
> 
> Ah ok, makes sense. Whatever think is a fair thing - I didn't realize the
> seed was persistent.

ekr just reminded me that we *do* want to use startup() here, because the pref doesn't stick around across restarts (it's using the "default" branch, so if the add-on doesn't work for any reason, or is removed by external software etc, the pref will revert to the same as we shipped for 59)

So, that means the XPI on this bug is still good to go.
Attachment #8956175 - Attachment description: signed.8956147.xpi → TLS 1.3 roll-out SAO v1 (signed)
Attachment #8956175 - Attachment filename: signed.8956147.xpi → tls13-rollout-bug1442042@mozilla.org-v1.0-signed.xpi
Noting that we landed the patch to disable TLS 1.3 by default on release for the RC2 build, in bug 1442033.
Flags: needinfo?(ekr)
Attached file Testing notes for QA 

    
    

    
  


  

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v1 (unsigned) (obsolete)
        — 
      

    


  
New version of the TLS 1.3 roll-out system add-on for signing. Thanks!

        Attachment #8956147 -
        Attachment is obsolete: true

        Attachment #8956175 -
        Attachment is obsolete: true
Flags: needinfo?(jthomas)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v1 (unsigned) (obsolete)
        — 
      

    


  

        Attachment #8958862 -
        Attachment is obsolete: true
Flags: needinfo?(jthomas)

    
    

    
  
QA found a problem when testing this - ClientID.getClientID() returns a Promise which wasn't being `await`ed (it's used as part of the seed for determining whether or not to activate TLS 1.3 for the desired percentage of users)

This is fixed in the latest version of the add-on (2.0)

    
    

    
  
:rhelmer, do you need attachment 8958864 [details] to be signed? I'm a little confused because it says v1 but there is also saying that something is fixed in 2.0.

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v3 (unsigned) (obsolete)
        — 
      

    


  
After discussing w/ ekr, we've decided to roll this out to 1% of users first.

Since this decision is being made inside the add-on, we'll need to re-sign. I've bumped the version # as well, to 3.0

Thanks!

        Attachment #8958864 -
        Attachment is obsolete: true
Flags: needinfo?(jthomas)
Flags: needinfo?(jthomas) → needinfo?(wezhou)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v4 (unsigned) (obsolete)
        — 
      

    


  
Sorry, one last minor change to disable debug logging.

    
  

        Attachment #8959385 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v4 (signed) (obsolete)
        — 
      

    


  
Signed file attached. Please test.
Flags: needinfo?(wezhou)

    
  

        Attachment #8959646 -
        Attachment description: signed.8959629.xpi → TLS 1.3 roll-out SAO v4 (unsigned)

        Attachment #8959646 -
        Attachment filename: signed.8959629.xpi → tls13-rollout-bug1442042@mozilla.org-v4.0.xpi

    
  

        Attachment #8959646 -
        Attachment description: TLS 1.3 roll-out SAO v4 (unsigned) → TLS 1.3 roll-out SAO v4 (signed)

    
    

    
  
Rehan, could you please host attachment 8959646 [details] on the system add-on test channel? Thanks!
Flags: needinfo?(rdalal)

    
    

    
  
This has been shipped on the test channel (release-sysaddon).
Flags: needinfo?(rdalal)

    
    

    
  
The rules were also created for the release channel and are waiting for sign off from relman.

rhelmer has confirmed it worked as expected on the test channel.
Flags: needinfo?(lhenry)

    
    

    
  
Does this have a QA sign-off? Without that it's hard for relman to give a green signal.

    
    

    
  
Following the steps from comment 10 I tested on Windows 10 x64, Ubuntu 16.04 x64 and Mac OS X 10.12 on Beta 59.0 build 5(10-Mar-2018) and everything went as expected, in "about:support" the add-on is displayed under "Firefox Features" and in "about:config" perf "security.tls.version.max" is set to 4.

Note: I could not verify that the add-on is active only for 1% of profiles.
Thanks.

          status-firefox59:
          affectedverified

    
    

    
  
Let's go with it, since we've used this same add-on before in test rollouts.  However, I think that in general, testing should check the functionality of what the add-on does (for example we had a system add-on that changed a pref value from one number to another, tested by looking at that value, but the value turned out to be a string not an int and we had to re-release) 

I'll sign off on the update rules in balrog now, though.
Flags: needinfo?(lhenry)

    
    

    
  
Telemetry query showing the roll-out of this add-on using main_summary. We expect ~1% of clients with the add-on installed to actually be making TLS 1.3 connections, which is what this is showing so far.

I've set the query to update every 12 hours.
URL: https://sql.telemetry.mozilla.org/que...

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v5 (unsigned) (obsolete)
        — 
      

    


  
Please sign this system add-on update XPI.

Changes from the previous version are:

* activates for 5% of clients (previously 1%)
* bump version number to 5.0

        Attachment #8959629 -
        Attachment is obsolete: true

        Attachment #8959646 -
        Attachment is obsolete: true
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v5 (signed) (obsolete)
        — 
      

    


  
Signed file attached. Please test.
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  
Comment on attachment 8960826 [details]
TLS 1.3 roll-out SAO v5 (signed)

Rehan, could you please stage this and put on the test channel? Thanks!

        Attachment #8960826 -
        Attachment description: signed.8960820.xpi → TLS 1.3 roll-out SAO v5 (signed)

        Attachment #8960826 -
        Attachment filename: signed.8960820.xpi → tls13-rollout-bug1442042@mozilla.org-v5.0.xpi
Flags: needinfo?(rdalal)

    
    

    
  
This is now on the test channel.
Flags: needinfo?(rdalal)

    
    

    
  
(In reply to Rehan Dalal [:rehan, :rdalal] from comment #29)
> This is now on the test channel.

Thanks! Tested this locally on latest 59 (macOS) and inspected the hosted XPI versus the previous one we shipped (excluding the signature files):

diff -r tmp1/bootstrap.js tmp2/bootstrap.js
18c18
< const ENABLE_PROB = 0.01;
---
> const ENABLE_PROB = 0.05;
diff -r tmp1/install.rdf tmp2/install.rdf
5c5
<     <em:version>4.0</em:version>
---
>     <em:version>5.0</em:version>

Thanks Rehan! Can you also set this up on the release channel so it's pending relman approval?

Liz, the only change here is we've updated the probability that TLS 1.3 will be active, from 1% -> 5%, and we're watching it in telemetry (per comment 25). If you want us to do any other testing please let me know, given the above I think we're probably good to go.
Flags: needinfo?(rdalal)
Flags: needinfo?(lhenry)

    
    

    
  
I've set up the rules on release and it's pending relman signoff.
Flags: needinfo?(rdalal)

    
    

    
  
I signed off on this earlier in balrog, so we can go to 5%.
Flags: needinfo?(lhenry)

    
  
Summary: Gradual roll-out of TLS 1.3 → Gradual roll-out of TLS 1.3 on release channel (59)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v6 (unsigned) (obsolete)
        — 
      

    


  
Version 6.0, enable TLS 1.3 for 10% of release population.

Please sign as a system add-on update, thanks!

        Attachment #8960820 -
        Attachment is obsolete: true

        Attachment #8960826 -
        Attachment is obsolete: true
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v6 (signed) (obsolete)
        — 
      

    


  
Signed file attached. Please test.
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  
Comment on attachment 8961623 [details]
TLS 1.3 roll-out SAO v6 (signed)

Could you please set this up on the test channel? Thanks!

        Attachment #8961623 -
        Attachment description: signed.8961577.xpi → TLS 1.3 roll-out SAO v6 (signed)

        Attachment #8961623 -
        Attachment filename: signed.8961577.xpi → tls13-rollout-bug1442042@mozilla.org-v6.0.xpi
Flags: needinfo?(rdalal)

    
    

    
  
This is on the test channel and pending sign off on release.
Flags: needinfo?(rdalal)

    
    

    
  
(In reply to Rehan Dalal [:rehan, :rdalal] from comment #36)
> This is on the test channel and pending sign off on release.

Liz, can you please sign-off? As before I verified that the only changes are the probability and version #:

diff -r tmp1/bootstrap.js tmp2/bootstrap.js
18c18
< const ENABLE_PROB = 0.05;
---
> const ENABLE_PROB = 0.10;
diff -r tmp1/install.rdf tmp2/install.rdf
5c5
<     <em:version>5.0</em:version>
---
>     <em:version>6.0</em:version>
Flags: needinfo?(lhenry)

    
    

    
  
I signed off so we will be going at 10%, but probably only after bug 1448377 is resolved.
Flags: needinfo?(lhenry)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v7 (unsigned) (obsolete)
        — 
      

    


  
Version 7.0, which sets the enable probability to 20%

Could you please sign this as a system add-on update? Thanks!

        Attachment #8961577 -
        Attachment is obsolete: true

        Attachment #8961623 -
        Attachment is obsolete: true
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  

      
      
      
      

        Attached file
          
        TLS 1.3 roll-out SAO v7 (signed) (obsolete)
        — 
      

    


  
Signed file attached. Please test.
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  
Comment on attachment 8962527 [details]
TLS 1.3 roll-out SAO v7 (signed)

Rehan, could you please host on test channel and set up on release for relman to sign-off? Thanks!

        Attachment #8962527 -
        Attachment description: signed.8962516.xpi → TLS 1.3 fallback-limit roll-out SAO v7 (signed)

        Attachment #8962527 -
        Attachment filename: signed.8962516.xpi → tls13-rollout-bug1442042@mozilla.org-v7.0.xpi
Flags: needinfo?(rdalal)

    
  

        Attachment #8962527 -
        Attachment is obsolete: true

    
  

        Attachment #8962527 -
        Attachment description: TLS 1.3 fallback-limit roll-out SAO v7 (signed) → TLS 1.3 roll-out SAO v7 (signed)

        Attachment #8962527 -
        Attachment is obsolete: false

    
  

        Attachment #8962516 -
        Attachment description: TLS 1.3 fallback-limit roll-out SAO v7 (unsigned) → TLS 1.3 roll-out SAO v7 (unsigned)

        Attachment #8962516 -
        Attachment is obsolete: true

    
    

    
  
This is on the test channel and pending sign off from relman on release.
Flags: needinfo?(rdalal) → needinfo?(lhenry)

    
    

    
  
I ni'ed :lizzard but I'm gonna cancel since rhelmer should probably confirm it is all good on the test channel before sign off
Flags: needinfo?(lhenry)

    
    

    
  
Since we are just bumping the % and re-signing on the same channel, I went ahead and signed off.

    
    

    
  


  
Could you please sign this as a system add-on update? Thanks!

        Attachment #8962527 -
        Attachment is obsolete: true
Flags: needinfo?(wezhou)
Flags: needinfo?(jthomas)

    
    

    
  
Just let me know when you have this on balrog for me to sign off again.

    
  
Flags: needinfo?(wezhou)

    
    

    
  

      
      
      
      

        Attached file
          
        signed.8964323.xpi (obsolete)
        — 
      

    


  
Signed file attached. Please test.

This file is signed using the autograph service. Please let us and Julien V. know if there are issues.

    
  
Flags: needinfo?(jthomas)

    
    

    
  
This is on the test channel (release-sysaddon) and pending sign off on release.

    
    

    
  
(In reply to Rehan Dalal [:rehan, :rdalal] from comment #48)
> This is on the test channel (release-sysaddon) and pending sign off on
> release.

Liz, I've checked and the only difference between the previous extension are the version number (7 -> 8) and the chance of enabling (20% -> 50%). ekr and I have been watching telemetry and everything is going as expected so far.

Please let me know if there's anything I'm missing, otherwise it's ready for your sign-off. Thanks!
Flags: needinfo?(lhenry)

    
    

    
  
I signed off in balrog just now, so this should be rolling out today.
Flags: needinfo?(lhenry)

    
  
Depends on: 1451618
Priority: -- → P1
Whiteboard: [psm-assigned]

    
    

    
  


  
Could you please sign this system add-on update? Thanks!

        Attachment #8964323 -
        Attachment is obsolete: true

        Attachment #8964412 -
        Attachment is obsolete: true

        Attachment #8969023 -
        Flags: feedback?(wezhou)

    
    

    
  


  
Signed file attached. Please test.

        Attachment #8969127 -
        Flags: review+

    
  

        Attachment #8969023 -
        Flags: feedback?(wezhou)

    
    

    
  
Comment on attachment 8969127 [details]
TLS 1.3 roll-out SAO v9 (signed) - 95%

Rehan, could you please put this up on the release-sysaddon test channel and also stage for release? Thanks!

        Attachment #8969127 -
        Attachment description: signed.8969023.xpi → TLS 1.3 roll-out SAO v9 (signed) - 95%

        Attachment #8969127 -
        Attachment filename: signed.8969023.xpi → tls13-rollout-bug1442042@mozilla.org-v9.0.xpi
Flags: needinfo?(rdalal)

    
    

    
  
This is live on release-sysaddon and pending sign off on release.
Flags: needinfo?(rdalal)

    
    

    
  
I'm double-checking the statistics now to make sure we are good. I should know later today, but please don't pull the trigger till then.
Flags: needinfo?(rdalal)

    
    

    
  
I've already queued it up on the release channel. But it will not go out till relman signs off, which won't happen unless specifically requested. Is that okay?
Flags: needinfo?(rdalal)

    
    

    
  
WFM

    
    

    
  
FYI

The "TLS 1.3 gradual roll-out" add-on briefly appeared here in my ff AMO, then vanished again.

Intriguingly, it is stamped [Legacy] (shurely some mistake? - given the dates)

It has no author link, no further-info links, no comments, no stars and is presumably hidden most of the time (not in AMO search)
but from recall there iS an option to remove it.  (I wonder how many 'cleaners' would remove it anyway?)


So, now I know. Isn't obscurity wonderful.

I often lament that there seems to be no mechanism for mozilla to impose useful information on the user, perhaps some restrained broadcast via tweak on the start-up pages.

    
    

    
  
Bill, thanks for the heads-up.

It actually is a legacy add-on (it's not a Web Extension), but it's not something we expect people to install. This sort of clumsy way of rolling out pref flips will be going away in the next few releases though.

    
    

    
  
Rehan, please deploy
Flags: needinfo?(rdalal)

    
    

    
  
Liz, could you please provide relman sign off on scheduled change 880 (rule id: 789). Thanks!
Flags: needinfo?(rdalal) → needinfo?(lhenry)

    
    

    
  
Signed off now so this is live for 59.x.

ekr, for 60 we've built release candidates with security.tls.version.max=4 and security.tls.version.fallback-limit=3, is that ok or do we need a last minute change there?
Flags: needinfo?(lhenry) → needinfo?(ekr)

    
    

    
  
Julien: Good question. Given the time frame, and the fact that we want to dial up fallback-limit on release anyway, I feel like it might be easier to just do this with add-ons, but I'm open to other people's opinions.
Flags: needinfo?(ekr)

    
    

    
  
max=4, fallback=3 is ideal.  We're 100% on max, but want to progressively work up to 100% on fallback (meaning that we want to eliminate it, of course).  The RC seems right.

    
    

    
  
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3

    
    

    
  
Release already has fallback disabled.

    
  
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: