Balrog/Client Domains: Difference between revisions
(→Pinning Requirements: Started using aus4.m.o at 4.0) |
No edit summary |
||
| Line 13: | Line 13: | ||
|- | |- | ||
| rowspan="4" | aus5.mozilla.org | | rowspan="4" | aus5.mozilla.org | ||
| rowspan=" | | rowspan="3" | DigiCert | ||
| 07:10:8B:20:9E:D3:45:6C:EE:88:94:91:44:C4:56:0C | | 07:10:8B:20:9E:D3:45:6C:EE:88:94:91:44:C4:56:0C | ||
| Primary | | Primary | ||
| August 13, 2019 | | August 13, 2019 | ||
| None, done by CloudOps | |||
| | |||
|- | |||
| 0D:23:43:9A:32:3D:25:C5:A6:C3:2D:76:63:60:05:53 | |||
| Retired on June 14th, 2019 | |||
| August 13, 2019 | |||
| {{bug|1369143}} | | {{bug|1369143}} | ||
| | | | ||
Revision as of 21:07, 20 June 2019
This page documents all of domains that Balrog serves, when various applications switched to them, their SSL pinning requirements, and active certificates.
SSL Certificates
| Domain | Issuer | Serial Number | Primary/Backup | Expiration | Links | Comments |
|---|---|---|---|---|---|---|
| aus5.mozilla.org | DigiCert | 07:10:8B:20:9E:D3:45:6C:EE:88:94:91:44:C4:56:0C | Primary | August 13, 2019 | None, done by CloudOps | |
| 0D:23:43:9A:32:3D:25:C5:A6:C3:2D:76:63:60:05:53 | Retired on June 14th, 2019 | August 13, 2019 | bug 1369143 | |||
| 07:D5:0D:C7:F3:68:98:2F:AB:5E:19:B9:C5:FB:A1:5C | Retired on July 20, 2017 | July 28, 2017 | bug 1179339 | |||
| Thawte | 0c:96:80:24:b6:b2:72:81:42:8b:53:a5:24:94:52:fb | Backup | August 14, 2020 | bug 1369143 | ||
| ??? | Retired Backup | August 10, 2017 | bug 1179339 | |||
| aus4.mozilla.org | DigiCert | 05:5A:F0:03:C4:5E:01:11:4A:D0:5E:24:D7:74:3B:1E | Primary | December 7, 2018 | bug 832461 | |
| Thawte | 25:a8:fd:b6:7a:1f:6c:b8:95:99:e0:91:5c:69:71:05 | Retired Backup | September 24, 2017 | bug 919746 | Explicitly not renewing this cert, per https://bugzilla.mozilla.org/show_bug.cgi?id=1340880#c60 | |
| aus3.mozilla.org | Thawte | 5b:44:41:c9:34:ed:c8:9c:81:b9:32:0d:09:43:45:a9 | Primary | February 7, 2020 | bug 1340880 | Not possible to have a backup cert because Thawte is the only Issuer compatible with all clients using this domain. |
| Thawte | 14:6A:AB:C3:52:09:8C:4D:51:7B:FA:1B:AA:21:2C:6A | Retired Primary (retired on September 5, 2017) | September 8, 2017 | ??? |
Pinning Requirements
| Domain | Application | Versions | Issuer Pinned To | HPKP(inning) | Links | Renewable? |
|---|---|---|---|---|---|---|
| aus5.mozilla.org | Firefox | 42.0 and up | Nothing | None | bug 1116409 | YES - No pinning requirements for some apps, and we can get certs for those that do pin. |
| Fennec | Nothing | None | bug 1116409 | |||
| GMP | "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
"CN=thawte SSL CA - G2,O=thawte, Inc.,C=US" |
None | bug 1116409 | |||
| Thunderbird | 51.0 and up | Nothing | None | bug 1182352 | ||
| 42.0 - 50.0 | "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
"CN=thawte SSL CA - G2,O=thawte, Inc.,C=US" |
bug 1116409 | ||||
| B2G | ??? | Nothing | None | bug 1116409 | ||
| SystemAddons | 44.0 and up | Any CA included in Firefox's root store. | None | bug 1213348 | ||
| aus4.mozilla.org | Firefox | 36.0 - 41.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 885477 | NO - All apps do pinning, and we cannot get certs that are compatible. |
| Thunderbird | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 922264 | |||
| Fennec | 27.0 - 42.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 885477 | ||
| B2G | ??? | Nothing | None | bug 918068 | ||
| GMP | 37.0 - 41.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | |||
| aus3.mozilla.org | Firefox | 26.0 - 35.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 921045 | NO - All apps do pinning, and we cannot get certs that are compatible. |
| 4.0 - 25.0 | "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 586213 | |||
| Thunderbird | 27.0 - 35.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 942748 | ||
| 14.0 - 26.0 | "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 751679 | |||
| aus2.mozilla.org | Firefox | 2.0 - 3.6 | Nothing | None | bug 302721 | YES - No pinning requirements. We just 302 to another domain at this point, though. |
| Fennec | 26.0 and earlier | Nothing | None | bug 302721 |
NB: Beginning with 24.0, Thunderbird started shipping release channel builds of ESR repos. This means that they have not shipped any release builds from Gecko versions other than 24.0, 31.0, 38.0, 45.0, 52.0, etc. The version numbers in the table still apply for Betas shipped from the major versions listed.