From e6556f7d999edaddfab32c96ee76ad2da5758e5b Mon Sep 17 00:00:00 2001 From: Cosmin Sabou Date: Thu, 2 Nov 2023 23:22:42 +0200 Subject: [PATCH] Backed out 5 changesets (bug 1862062) for causing xpcshell failures on test_content_signing.js. CLOSED TREE Backed out changeset dcc224a798ba (bug 1862062) Backed out changeset 8d2222109dd9 (bug 1862062) Backed out changeset 13e730e6e684 (bug 1862062) Backed out changeset 8c73f748ca55 (bug 1862062) Backed out changeset 2a321dff5c82 (bug 1862062) --- .../manager/ssl/SSLServerCertVerification.cpp | 21 + security/manager/ssl/nsNSSCallbacks.cpp | 265 +++++++----- toolkit/actors/NetErrorParent.sys.mjs | 6 + toolkit/components/telemetry/Histograms.json | 388 +++++++++--------- .../telemetry/histogram-allowlists.json | 35 ++ 5 files changed, 421 insertions(+), 294 deletions(-) diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index a5afaea7c498..f22ddb59175b 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -503,6 +503,27 @@ void GatherCertificateTransparencyTelemetry( // but it failed to parse (e.g. due to unsupported CT protocol version). Telemetry::Accumulate(Telemetry::SSL_SCTS_PER_CONNECTION, sctsCount); + // Report CT Policy compliance of EV certificates. + if (isEV) { + uint32_t evCompliance = 0; + switch (info.policyCompliance) { + case ct::CTPolicyCompliance::Compliant: + evCompliance = 1; + break; + case ct::CTPolicyCompliance::NotEnoughScts: + evCompliance = 2; + break; + case ct::CTPolicyCompliance::NotDiverseScts: + evCompliance = 3; + break; + case ct::CTPolicyCompliance::Unknown: + default: + MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type"); + } + Telemetry::Accumulate(Telemetry::SSL_CT_POLICY_COMPLIANCE_OF_EV_CERTS, + evCompliance); + } + // Report CT Policy compliance by CA. switch (info.policyCompliance) { case ct::CTPolicyCompliance::Compliant: diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp index e343ac89abeb..d1667e0161be 100644 --- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -55,6 +55,9 @@ using namespace mozilla::psm; extern LazyLogModule gPIPNSSLog; +static void AccumulateCipherSuite(Telemetry::HistogramID probe, + const SSLChannelInfo& channelInfo); + namespace { // Bits in bit mask for SSL_REASONS_FOR_NOT_FALSE_STARTING telemetry probe @@ -900,94 +903,159 @@ static void AccumulateECCCurve(Telemetry::HistogramID probe, uint32_t bits) { Telemetry::Accumulate(probe, value); } -static void AccumulateCipherSuite(const SSLChannelInfo& channelInfo) { +static void AccumulateCipherSuite(Telemetry::HistogramID probe, + const SSLChannelInfo& channelInfo) { uint32_t value; - // Note: this list must include every cipher suite it is possible to enable - // in nsNSSComponent.cpp (see sCipherPrefs and sDeprecatedTLS1CipherPrefs). switch (channelInfo.cipherSuite) { - case TLS_RSA_WITH_3DES_EDE_CBC_SHA: // 0x000A + // ECDHE key exchange + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: value = 1; break; - case TLS_RSA_WITH_AES_128_CBC_SHA: // 0x002F + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: value = 2; break; - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: // 0x0033 + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: value = 3; break; - case TLS_RSA_WITH_AES_256_CBC_SHA: // 0x0035 + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: value = 4; break; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: // 0x0039 + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: value = 5; break; - case TLS_RSA_WITH_AES_128_GCM_SHA256: // 0x009C + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: value = 6; break; - case TLS_RSA_WITH_AES_256_GCM_SHA384: // 0x009D + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: value = 7; break; - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: // 0xC009 - value = 8; - break; - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: // 0xC00A - value = 9; - break; - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: // 0xC013 + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 10; break; - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: // 0xC014 + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: value = 11; break; - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: // 0xC02B + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: value = 12; break; - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: // 0xC02C + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: value = 13; break; - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: // 0xC02F + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: value = 14; break; - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: // 0xC030 - value = 15; + // DHE key exchange + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: + value = 21; break; - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: // 0xCCA8 - value = 16; + case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: + value = 22; break; - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: // 0xCCA9 - value = 17; + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: + value = 23; break; - - // TLS 1.3 cipher suites - case TLS_AES_128_GCM_SHA256: // 0x1301 - value = 18; + case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: + value = 24; break; - case TLS_AES_256_GCM_SHA384: // 0x1302 - value = 19; + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: + value = 25; break; - case TLS_CHACHA20_POLY1305_SHA256: // 0x1303 - value = 20; + case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: + value = 26; + break; + case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: + value = 27; + break; + case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: + value = 28; + break; + case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: + value = 29; + break; + case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: + value = 30; + break; + // ECDH key exchange + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: + value = 41; + break; + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: + value = 42; + break; + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: + value = 43; + break; + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: + value = 44; + break; + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: + value = 45; + break; + case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: + value = 46; + break; + // RSA key exchange + case TLS_RSA_WITH_AES_128_CBC_SHA: + value = 61; + break; + case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: + value = 62; + break; + case TLS_RSA_WITH_AES_256_CBC_SHA: + value = 63; + break; + case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: + value = 64; + break; + case SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: + value = 65; + break; + case TLS_RSA_WITH_3DES_EDE_CBC_SHA: + value = 66; + break; + case TLS_RSA_WITH_SEED_CBC_SHA: + value = 67; + break; + case TLS_RSA_WITH_AES_128_GCM_SHA256: + value = 68; + break; + case TLS_RSA_WITH_AES_256_GCM_SHA384: + value = 69; + break; + // TLS 1.3 PSK resumption + case TLS_AES_128_GCM_SHA256: + value = 70; + break; + case TLS_CHACHA20_POLY1305_SHA256: + value = 71; + break; + case TLS_AES_256_GCM_SHA384: + value = 72; break; - // unknown default: value = 0; break; } MOZ_ASSERT(value != 0); - Telemetry::Accumulate(Telemetry::TLS_CIPHER_SUITE, value); + Telemetry::Accumulate(probe, value); } void HandshakeCallback(PRFileDesc* fd, void* client_data) { + SECStatus rv; + + NSSSocketControl* infoObject = (NSSSocketControl*)fd->higher->secret; + // Do the bookkeeping that needs to be done after the // server's ServerHello...ServerHelloDone have been processed, but that // doesn't need the handshake to be completed. PreliminaryHandshakeDone(fd); - NSSSocketControl* infoObject = (NSSSocketControl*)fd->higher->secret; nsSSLIOLayerHelpers& ioLayerHelpers = infoObject->SharedState().IOLayerHelpers(); SSLVersionRange versions(infoObject->GetTLSVersionRange()); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] HandshakeCallback: succeeded using TLS version range " "(0x%04x,0x%04x)\n", @@ -999,70 +1067,75 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { infoObject->GetPort(), versions.max); SSLChannelInfo channelInfo; - SECStatus rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)); + rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)); MOZ_ASSERT(rv == SECSuccess); - if (rv != SECSuccess) { - return; - } - AccumulateCipherSuite(channelInfo); + if (rv == SECSuccess) { + // Get the protocol version for telemetry + // 1=tls1, 2=tls1.1, 3=tls1.2 + unsigned int versionEnum = channelInfo.protocolVersion & 0xFF; + MOZ_ASSERT(versionEnum > 0); + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_VERSION, versionEnum); + AccumulateCipherSuite(infoObject->IsFullHandshake() + ? Telemetry::SSL_CIPHER_SUITE_FULL + : Telemetry::SSL_CIPHER_SUITE_RESUMED, + channelInfo); - // Get the protocol version for telemetry - // 1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3 - unsigned int versionEnum = channelInfo.protocolVersion & 0xFF; - MOZ_ASSERT(versionEnum > 0); - Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_VERSION, versionEnum); + SSLCipherSuiteInfo cipherInfo; + rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo, + sizeof cipherInfo); + MOZ_ASSERT(rv == SECSuccess); + if (rv == SECSuccess) { + // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4 + Telemetry::Accumulate(infoObject->IsFullHandshake() + ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL + : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED, + channelInfo.keaType); - SSLCipherSuiteInfo cipherInfo; - rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo, - sizeof cipherInfo); - MOZ_ASSERT(rv == SECSuccess); - if (rv != SECSuccess) { - return; - } - // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4 - Telemetry::Accumulate(infoObject->IsFullHandshake() - ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL - : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED, - channelInfo.keaType); + if (infoObject->IsFullHandshake()) { + switch (channelInfo.keaType) { + case ssl_kea_rsa: + AccumulateNonECCKeySize(Telemetry::SSL_KEA_RSA_KEY_SIZE_FULL, + channelInfo.keaKeyBits); + break; + case ssl_kea_dh: + AccumulateNonECCKeySize(Telemetry::SSL_KEA_DHE_KEY_SIZE_FULL, + channelInfo.keaKeyBits); + break; + case ssl_kea_ecdh: + AccumulateECCCurve(Telemetry::SSL_KEA_ECDHE_CURVE_FULL, + channelInfo.keaKeyBits); + break; + default: + MOZ_CRASH("impossible KEA"); + break; + } - if (infoObject->IsFullHandshake()) { - switch (channelInfo.keaType) { - case ssl_kea_rsa: - AccumulateNonECCKeySize(Telemetry::SSL_KEA_RSA_KEY_SIZE_FULL, - channelInfo.keaKeyBits); - break; - case ssl_kea_dh: - AccumulateNonECCKeySize(Telemetry::SSL_KEA_DHE_KEY_SIZE_FULL, - channelInfo.keaKeyBits); - break; - case ssl_kea_ecdh: - AccumulateECCCurve(Telemetry::SSL_KEA_ECDHE_CURVE_FULL, - channelInfo.keaKeyBits); - break; - default: - MOZ_CRASH("impossible KEA"); - break; - } + Telemetry::Accumulate(Telemetry::SSL_AUTH_ALGORITHM_FULL, + channelInfo.authType); - Telemetry::Accumulate(Telemetry::SSL_AUTH_ALGORITHM_FULL, - channelInfo.authType); - - // RSA key exchange doesn't use a signature for auth. - if (channelInfo.keaType != ssl_kea_rsa) { - switch (channelInfo.authType) { - case ssl_auth_rsa: - case ssl_auth_rsa_sign: - AccumulateNonECCKeySize(Telemetry::SSL_AUTH_RSA_KEY_SIZE_FULL, - channelInfo.authKeyBits); - break; - case ssl_auth_ecdsa: - AccumulateECCCurve(Telemetry::SSL_AUTH_ECDSA_CURVE_FULL, - channelInfo.authKeyBits); - break; - default: - MOZ_CRASH("impossible auth algorithm"); - break; + // RSA key exchange doesn't use a signature for auth. + if (channelInfo.keaType != ssl_kea_rsa) { + switch (channelInfo.authType) { + case ssl_auth_rsa: + case ssl_auth_rsa_sign: + AccumulateNonECCKeySize(Telemetry::SSL_AUTH_RSA_KEY_SIZE_FULL, + channelInfo.authKeyBits); + break; + case ssl_auth_ecdsa: + AccumulateECCCurve(Telemetry::SSL_AUTH_ECDSA_CURVE_FULL, + channelInfo.authKeyBits); + break; + default: + MOZ_CRASH("impossible auth algorithm"); + break; + } + } } + + Telemetry::Accumulate(infoObject->IsFullHandshake() + ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL + : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED, + cipherInfo.symCipher); } } diff --git a/toolkit/actors/NetErrorParent.sys.mjs b/toolkit/actors/NetErrorParent.sys.mjs index ac0dbf49a07c..9b7d85d83509 100644 --- a/toolkit/actors/NetErrorParent.sys.mjs +++ b/toolkit/actors/NetErrorParent.sys.mjs @@ -278,6 +278,12 @@ export class NetErrorParent extends JSWindowActorParent { case "Browser:SSLErrorGoBack": this.goBackFromErrorPage(this.browser); break; + case "Browser:SSLErrorReportTelemetry": + let reportStatus = message.data.reportStatus; + Services.telemetry + .getHistogramById("TLS_ERROR_REPORT_UI") + .add(reportStatus); + break; case "GetChangedCertPrefs": let hasChangedCertPrefs = this.hasChangedCertPrefs(); this.sendAsyncMessage("HasChangedCertPrefs", { diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index 50d5a914149b..3b25024c47c5 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -270,8 +270,8 @@ "description": "Recorded when application reputation remote lookup is performed, `true` is recorded if the lookup times out." }, "ADDON_SIGNATURE_VERIFICATION_STATUS": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "releaseChannelCollection": "opt-out", @@ -3558,8 +3558,8 @@ "releaseChannelCollection": "opt-out" }, "SSL_HANDSHAKE_VERSION": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1250568, 1340021], "releaseChannelCollection": "opt-out", @@ -3570,7 +3570,7 @@ }, "SSL_HANDSHAKE_PRIVACY": { "record_in_processes": ["main", "socket"], - "products": ["firefox"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1788290], "releaseChannelCollection": "opt-out", @@ -3580,8 +3580,8 @@ "description": "0th bit - TLS13 used? 1th bit - Revocation Privacy, 2nd bit - DNS Privacy, 3rd bit - ECH Privacy" }, "SSL_HANDSHAKE_RESULT": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1331280, 1340021], "releaseChannelCollection": "opt-out", @@ -3591,8 +3591,8 @@ "description": "SSL handshake result, 0=success, 1-255=NSS error offset, 256-511=SEC error offset + 256, 512-639=NSPR error offset + 512, 640-670=PKIX error, 671=unknown err" }, "SSL_HANDSHAKE_RESULT_FIRST_TRY": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1780014], "releaseChannelCollection": "opt-out", @@ -3602,8 +3602,8 @@ "description": "SSL handshake result for first-try connections, 0=success, 1-255=NSS error offset, 256-511=SEC error offset + 256, 512-639=NSPR error offset + 512, 640-670=PKIX error, 671=unknown err" }, "SSL_HANDSHAKE_RESULT_CONSERVATIVE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1780014], "releaseChannelCollection": "opt-out", @@ -3613,8 +3613,8 @@ "description": "SSL handshake result for conservative mode connections, 0=success, 1-255=NSS error offset, 256-511=SEC error offset + 256, 512-639=NSPR error offset + 512, 640-670=PKIX error, 671=unknown err" }, "SSL_HANDSHAKE_RESULT_ECH": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1771479], "releaseChannelCollection": "opt-out", @@ -3624,8 +3624,8 @@ "description": "SSL handshake result for connections which used ECH 'Real', 0=success, 1-255=NSS error offset, 256-511=SEC error offset + 256, 512-639=NSPR error offset + 512, 640-670=PKIX error, 671=unknown err" }, "SSL_HANDSHAKE_RESULT_ECH_GREASE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1771479], "releaseChannelCollection": "opt-out", @@ -3635,8 +3635,8 @@ "description": "SSL handshake result for connections which used ECH GREASE, 0=success, 1-255=NSS error offset, 256-511=SEC error offset + 256, 512-639=NSPR error offset + 512, 640-670=PKIX error, 671=unknown err" }, "SSL_TIME_UNTIL_READY": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1340021], "releaseChannelCollection": "opt-out", @@ -3647,8 +3647,8 @@ "description": "ms of SSL wait time including TCP and proxy tunneling" }, "SSL_TIME_UNTIL_READY_FIRST_TRY": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1340021], "releaseChannelCollection": "opt-out", @@ -3659,8 +3659,8 @@ "description": "ms of SSL wait time including TCP and proxy tunneling for first-try connections" }, "SSL_TIME_UNTIL_READY_CONSERVATIVE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1340021], "releaseChannelCollection": "opt-out", @@ -3671,8 +3671,8 @@ "description": "ms of SSL wait time including TCP and proxy tunneling for conservative-mode connections" }, "SSL_TIME_UNTIL_READY_ECH": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1771479], "releaseChannelCollection": "opt-out", @@ -3683,8 +3683,8 @@ "description": "ms of SSL wait time including TCP and proxy tunneling for connections using ECH 'Real'" }, "SSL_TIME_UNTIL_READY_ECH_GREASE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1771479], "releaseChannelCollection": "opt-out", @@ -3695,9 +3695,9 @@ "description": "ms of SSL wait time including TCP and proxy tunneling for connections using ECH GREASE" }, "SSL_TIME_UNTIL_HANDSHAKE_FINISHED_KEYED_BY_KA": { - "record_in_processes": ["main"], - "products": ["firefox"], - "alert_emails": ["seceng-telemetry@mozilla.com"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng-telemetry@mozilla.com", "fkiefer@mozilla.com"], "bug_numbers": [1340021, 1513839], "releaseChannelCollection": "opt-out", "expires_in_version": "never", @@ -3724,11 +3724,9 @@ "description": "Success / Fail Rates for HTTP3 Keyed by ECH Usage" }, "SSL_BYTES_BEFORE_CERT_CALLBACK": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "exponential", "high": 32000, @@ -3736,8 +3734,8 @@ "description": "plaintext bytes read before a server certificate authenticated" }, "SSL_NPN_TYPE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -3745,8 +3743,8 @@ "description": "NPN Results (0=none, 1=negotiated, 2=no-overlap, 3=selected(alpn))" }, "SSL_RESUMED_SESSION": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1340021], "releaseChannelCollection": "opt-out", @@ -3755,22 +3753,18 @@ "description": "complete TLS connect that used TLS Session Resumption (collected at same time as SSL_TIME_UNTIL_HANDSHAKE_FINISHED)" }, "CERT_VALIDATION_HTTP_REQUEST_RESULT": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 16, "description": "HTTP result of OCSP, etc.. (0=canceled, 1=OK, 2=FAILED, 3=internal-error)" }, "CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "exponential", "high": 60000, @@ -3778,11 +3772,9 @@ "description": "ms elapsed time of OCSP etc.. that was canceled" }, "CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "exponential", "high": 60000, @@ -3790,11 +3782,9 @@ "description": "ms elapsed time of OCSP etc.. that succeeded" }, "CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "exponential", "high": 60000, @@ -3802,22 +3792,18 @@ "description": "ms elapsed time of OCSP etc.. that failed" }, "SSL_KEY_EXCHANGE_ALGORITHM_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 16, "description": "SSL Handshake Key Exchange Algorithm for full handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)" }, "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 16, @@ -3825,7 +3811,7 @@ }, "OCSP_AGE_AT_CRLITE_OVERRIDE": { "record_in_processes": ["main", "socket"], - "products": ["firefox"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com", "jschanck@mozilla.com"], "bug_numbers": [1794479, 1817101, 1846897], "expires_in_version": "125", @@ -3838,7 +3824,7 @@ }, "CRLITE_VS_OCSP_RESULT": { "record_in_processes": ["main", "socket"], - "products": ["firefox"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com", "dkeeler@mozilla.com"], "bug_numbers": [1675655, 1758827, 1817102, 1846898], "expires_in_version": "125", @@ -3860,7 +3846,7 @@ }, "CERT_REVOCATION_MECHANISMS": { "record_in_processes": ["main", "socket"], - "products": ["firefox"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com", "jschanck@mozilla.com"], "bug_numbers": [1794450, 1817101, 1846897], "expires_in_version": "125", @@ -10947,11 +10933,9 @@ "description": "Time (ms) it takes to figure out extension last modified time" }, "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "exponential", "high": 60000, @@ -10959,11 +10943,9 @@ "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)" }, "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "exponential", "high": 60000, @@ -12843,22 +12825,19 @@ "description": "How often audio loads fail in regular mode and in upgrading mode?" }, "CONTENT_SIGNATURE_VERIFICATION_STATUS": { - "record_in_processes": ["main"], - "products": ["firefox"], - "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1258647, 1862062], - "releaseChannelCollection": "opt-out", + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], + "alert_emails": ["seceng-telemetry@mozilla.com", "fkiefer@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", "n_values": 20, + "bug_numbers": [1258647], "description": "What was the result of the content signature verification? 0=valid, 1=invalid, 2=noCertChain, 3=createContextFailedWithOtherError, 4=expiredCert, 5=certNotValidYet, 6=buildCertChainFailed, 7=eeCertForWrongHost, 8=extractKeyError, 9=vfyContextError" }, "CONTENT_SIGNATURE_VERIFICATION_ERRORS": { - "record_in_processes": ["main"], - "products": ["firefox"], - "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1435713, 1862062], - "releaseChannelCollection": "opt-out", + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], + "alert_emails": ["seceng-telemetry@mozilla.com", "fkiefer@mozilla.com"], "expires_in_version": "never", "kind": "categorical", "keyed": true, @@ -12874,6 +12853,7 @@ "err8", "err9" ], + "bug_numbers": [1435713], "description": "Result of the content signature verification keyed by application (certificate fingerprint). 0=valid, 1=invalid, 2=noCertChain, 3=createContextFailedWithOtherError, 4=expiredCert, 5=certNotValidYet, 6=buildCertChainFailed, 7=eeCertForWrongHost, 8=extractKeyError, 9=vfyContextError" }, "NTLM_MODULE_USED_2": { @@ -13145,8 +13125,8 @@ "labels": ["none", "unicodeName", "unicodeValue"] }, "SSL_TLS13_INTOLERANCE_REASON_PRE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1250568], "expires_in_version": "never", @@ -13155,8 +13135,8 @@ "description": "Potential TLS 1.3 intolerance, before considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS13_INTOLERANCE_REASON_POST": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "bug_numbers": [1250568], "expires_in_version": "never", @@ -13165,8 +13145,8 @@ "description": "Potential TLS 1.3 intolerance, after considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS12_INTOLERANCE_REASON_PRE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13174,8 +13154,8 @@ "description": "Potential TLS 1.2 intolerance, before considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS12_INTOLERANCE_REASON_POST": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13183,8 +13163,8 @@ "description": "Potential TLS 1.2 intolerance, after considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS11_INTOLERANCE_REASON_PRE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13192,8 +13172,8 @@ "description": "Potential TLS 1.1 intolerance, before considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS11_INTOLERANCE_REASON_POST": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13201,8 +13181,8 @@ "description": "Potential TLS 1.1 intolerance, after considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS10_INTOLERANCE_REASON_PRE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13210,8 +13190,8 @@ "description": "Potential TLS 1.0 intolerance, before considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_TLS10_INTOLERANCE_REASON_POST": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13219,138 +13199,143 @@ "description": "Potential TLS 1.0 intolerance, after considering historical info (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, "SSL_VERSION_FALLBACK_INAPPROPRIATE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", "n_values": 64, "description": "TLS/SSL version intolerance was falsely detected, server rejected handshake (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)." }, - "TLS_CIPHER_SUITE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "SSL_CIPHER_SUITE_FULL": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", - "n_values": 64, - "description": "Negotiated cipher suite in TLS handshake (see key in AccumulateCipherSuite in nsNSSCallbacks.cpp)" + "n_values": 128, + "description": "Negotiated cipher suite in full handshake (see key in AccumulateCipherSuite in nsNSSCallbacks.cpp). Entries #8, 9, 47, 48, 68, and 69 correspond to ciphers that use RC4." + }, + "SSL_CIPHER_SUITE_RESUMED": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng-telemetry@mozilla.com"], + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 128, + "description": "Negotiated cipher suite in resumed handshake (see key in AccumulateCipherSuite in nsNSSCallbacks.cpp)" }, "SSL_KEA_RSA_KEY_SIZE_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 24, "description": "RSA KEA (TLS_RSA_*) key size in full handshake" }, "SSL_KEA_DHE_KEY_SIZE_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 24, "description": "DHE KEA (TLS_DHE_*) key size in full handshake" }, "SSL_KEA_ECDHE_CURVE_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 36, "description": "ECDHE KEA (TLS_ECDHE_*) curve (23=P-256, 24=P-384, 25=P-521, 29=Curve25519) in full handshake" }, "SSL_AUTH_ALGORITHM_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 16, "description": "SSL Authentication Algorithm (null=0, rsa(KEA)=1, ecdsa=4, rsa(sign)=7) in full handshake" }, "SSL_AUTH_RSA_KEY_SIZE_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 24, "description": "RSA signature key size for TLS_*_RSA_* in full handshake" }, "SSL_AUTH_ECDSA_CURVE_FULL": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 36, "description": "ECDSA signature curve for TLS_*_ECDSA_* in full handshake (23=P-256, 24=P-384, 25=P-521)" }, - "SSL_REASONS_FOR_NOT_FALSE_STARTING": { - "record_in_processes": ["main"], - "products": ["firefox"], + "SSL_SYMMETRIC_CIPHER_FULL": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng-telemetry@mozilla.com"], + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 32, + "description": "Symmetric cipher used in full handshake (null=0, 3des=4, aes-cbc=7, aes-gcm=10, chacha20=11)" + }, + "SSL_SYMMETRIC_CIPHER_RESUMED": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng-telemetry@mozilla.com"], + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 32, + "description": "Symmetric cipher used in resumed handshake (null=0, 3des=4, aes-cbc=7, aes-gcm=10, chacha20=11)" + }, + "SSL_REASONS_FOR_NOT_FALSE_STARTING": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 512, "description": "Bitmask of reasons we did not false start when libssl would have let us (see key in nsNSSCallbacks.cpp)" }, "SSL_HANDSHAKE_TYPE": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 8, "description": "Type of handshake (1=resumption, 2=false started, 3=chose not to false start, 4=not allowed to false start)" }, "SSL_OCSP_STAPLING": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 8, "description": "Status of OCSP stapling on this handshake (1=present, good; 2=none; 3=present, expired; 4=present, other error)" }, "SSL_CERT_ERROR_OVERRIDES": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 24, "description": "Was a certificate error overridden on this handshake? What was it? (0=unknown error (indicating bug), 1=no, >1=a specific error)" }, "SSL_CERT_VERIFICATION_ERRORS": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": [ "jhofmann@mozilla.com", "rtestard@mozilla.com", @@ -13363,9 +13348,20 @@ "releaseChannelCollection": "opt-out", "description": "If certificate verification failed in a TLS handshake, what was the error? (see MapCertErrorToProbeValue in security/manager/ssl/SSLServerCertVerification.cpp and the values in security/pkix/include/pkix/Result.h)" }, + "SSL_CT_POLICY_COMPLIANCE_OF_EV_CERTS": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng-telemetry@mozilla.com"], + "expires_in_version": "62", + "kind": "enumerated", + "n_values": 10, + "bug_numbers": [1320567], + "releaseChannelCollection": "opt-out", + "description": "Certificate Transparency Policy compliance of successfully established SSL connections with EV certificate (1=Compliant, 2=Insufficient number of SCTs, 3=Insufficient diversity of CT Log operators)" + }, "SSL_CT_POLICY_COMPLIANT_CONNECTIONS_BY_CA": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13375,8 +13371,8 @@ "description": "Number of successfully established TLS connections compliant with the Certificate Transparency Policy, by CA. See https://searchfox.org/mozilla-central/source/security/manager/ssl/RootHashes.inc for names of CAs. Bucket zero holds CAs not present in the list." }, "SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13386,20 +13382,18 @@ "description": "Number of successfully established TLS connections NOT compliant with the Certificate Transparency Policy, by CA. See https://searchfox.org/mozilla-central/source/security/manager/ssl/RootHashes.inc for names of CAs. Bucket zero holds CAs not present in the list." }, "SSL_PERMANENT_CERT_ERROR_OVERRIDES": { - "record_in_processes": ["main"], - "products": ["firefox"], - "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", - "expires_in_version": "never", + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng@mozilla.org"], + "expires_in_version": "default", "kind": "exponential", "high": 1024, "n_buckets": 10, "description": "How many permanent certificate overrides a user has stored." }, "SSL_SCTS_ORIGIN": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13409,8 +13403,8 @@ "description": "Origin of Signed Certificate Timestamps received (1=Embedded, 2=TLS handshake extension, 3=Stapled OCSP response)" }, "SSL_SCTS_PER_CONNECTION": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13420,8 +13414,8 @@ "description": "Histogram of Signed Certificate Timestamps per SSL connection, from all sources (embedded / OCSP Stapling / TLS handshake). Bucket 0 counts the cases when no SCTs were received, or none were extracted due to parsing errors." }, "SSL_SCTS_VERIFICATION_STATUS": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "enumerated", @@ -13430,36 +13424,43 @@ "releaseChannelCollection": "opt-out", "description": "Verification status of Signed Certificate Timestamps received (0=Decoding error, 1=Valid SCT, 2=SCT from unknown log, 3=Invalid SCT signature, 4=SCT timestamp is in the future, 5=Valid SCT from a disqualified log)" }, + "TLS_ERROR_REPORT_UI": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 15, + "description": "User interaction with the TLS Error Reporter in about:neterror (0=Error seen, 1='auto' checked, 2='auto' unchecked, 3=Sent manually, 4=Sent automatically, 5=Send success, 6=Send failure, 7=Report section expanded)" + }, "CERT_OCSP_ENABLED": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "boolean", "description": "Is OCSP fetching enabled? (pref security.OCSP.enabled)" }, "CERT_OCSP_REQUIRED": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["seceng-telemetry@mozilla.com"], "expires_in_version": "never", "kind": "boolean", "description": "Is OCSP required when the cert has an OCSP URI? (pref security.OCSP.require)" }, "CERT_EV_STATUS": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "expires_in_version": "never", - "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1254653, 1862062], - "releaseChannelCollection": "opt-out", + "alert_emails": ["seceng@mozilla.org"], + "bug_numbers": [1254653], "kind": "enumerated", "n_values": 10, "description": "EV status of a certificate, recorded on each TLS connection. 0=invalid, 1=DV, 2=EV" }, "CERT_VALIDATION_SUCCESS_BY_CA": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "expires_in_version": "never", "alert_emails": ["jjones@mozilla.com", "seceng-telemetry@mozilla.com"], "releaseChannelCollection": "opt-out", @@ -13469,39 +13470,33 @@ "description": "Successful SSL server cert validations by CA (see RootHashes.inc for names of CAs)" }, "CERT_PINNING_FAILURES_BY_CA": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["pinning@mozilla.org"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "enumerated", "n_values": 256, "description": "Pinning failures by CA (see RootHashes.inc for names of CAs)" }, "CERT_PINNING_RESULTS": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], "alert_emails": ["pinning@mozilla.org"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "boolean", "description": "Certificate pinning results (0 = failure, 1 = success)" }, "CERT_PINNING_TEST_RESULTS": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], "alert_emails": ["pinning@mozilla.org"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", "expires_in_version": "never", "kind": "boolean", "description": "Certificate pinning test results (0 = failure, 1 = success)" }, "CERT_PINNING_MOZ_RESULTS_BY_HOST": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["dkeeler@mozilla.com", "pinning@mozilla.org"], "releaseChannelCollection": "opt-out", "bug_numbers": [1007844, 1521940], @@ -13511,8 +13506,8 @@ "description": "Certificate pinning results by host for Mozilla operational sites" }, "CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST": { - "record_in_processes": ["main"], - "products": ["firefox"], + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], "alert_emails": ["dkeeler@mozilla.com", "pinning@mozilla.org"], "releaseChannelCollection": "opt-out", "bug_numbers": [1007844, 1521940], @@ -13522,12 +13517,9 @@ "description": "Certificate pinning test results by host for Mozilla operational sites" }, "CERT_CHAIN_KEY_SIZE_STATUS": { - "record_in_processes": ["main"], - "products": ["firefox"], - "alert_emails": ["seceng-telemetry@mozilla.com"], - "bug_numbers": [1862062], - "releaseChannelCollection": "opt-out", - "expires_in_version": "never", + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec", "thunderbird"], + "expires_in_version": "default", "kind": "enumerated", "n_values": 4, "description": "Does enforcing a larger minimum RSA key size cause verification failures? 1 = no, 2 = yes, 3 = another error prevented finding a verified chain" diff --git a/toolkit/components/telemetry/histogram-allowlists.json b/toolkit/components/telemetry/histogram-allowlists.json index a7c1652d0a87..30dec26dc991 100644 --- a/toolkit/components/telemetry/histogram-allowlists.json +++ b/toolkit/components/telemetry/histogram-allowlists.json @@ -72,6 +72,7 @@ "CACHE_SERVICE_LOCK_WAIT_MAINTHREAD_NSPROCESSREQUESTEVENT_RUN", "CANVAS_2D_USED", "CANVAS_WEBGL_USED", + "CERT_CHAIN_KEY_SIZE_STATUS", "CHANGES_OF_DETECTED_LANGUAGE", "CHANGES_OF_TARGET_LANGUAGE", "CHECK_ADDONS_MODIFIED_MS", @@ -269,6 +270,7 @@ "TAP_TO_LOAD_IMAGE_SIZE", "THUNDERBIRD_GLODA_SIZE_MB", "THUNDERBIRD_INDEXING_RATE_MSG_PER_S", + "TLS_ERROR_REPORT_UI", "TRANSLATED_CHARACTERS", "TRANSLATED_PAGES", "TRANSLATED_PAGES_BY_LANGUAGE", @@ -364,8 +366,16 @@ "CACHE_SERVICE_LOCK_WAIT_MAINTHREAD_NSPROCESSREQUESTEVENT_RUN", "CANVAS_2D_USED", "CANVAS_WEBGL_USED", + "CERT_CHAIN_KEY_SIZE_STATUS", "CERT_OCSP_ENABLED", "CERT_OCSP_REQUIRED", + "CERT_PINNING_FAILURES_BY_CA", + "CERT_PINNING_RESULTS", + "CERT_PINNING_TEST_RESULTS", + "CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME", + "CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME", + "CERT_VALIDATION_HTTP_REQUEST_RESULT", + "CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME", "CHANGES_OF_DETECTED_LANGUAGE", "CHANGES_OF_TARGET_LANGUAGE", "CHECK_ADDONS_MODIFIED_MS", @@ -654,7 +664,27 @@ "SPDY_SYN_REPLY_RATIO", "SPDY_SYN_REPLY_SIZE", "SPDY_SYN_SIZE", + "SSL_AUTH_ALGORITHM_FULL", + "SSL_AUTH_ECDSA_CURVE_FULL", + "SSL_AUTH_RSA_KEY_SIZE_FULL", + "SSL_BYTES_BEFORE_CERT_CALLBACK", + "SSL_CERT_ERROR_OVERRIDES", + "SSL_CIPHER_SUITE_FULL", + "SSL_CIPHER_SUITE_RESUMED", + "SSL_HANDSHAKE_TYPE", + "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX", + "SSL_KEA_DHE_KEY_SIZE_FULL", + "SSL_KEA_ECDHE_CURVE_FULL", + "SSL_KEA_RSA_KEY_SIZE_FULL", + "SSL_KEY_EXCHANGE_ALGORITHM_FULL", + "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED", "SSL_NPN_TYPE", + "SSL_OCSP_STAPLING", + "SSL_PERMANENT_CERT_ERROR_OVERRIDES", + "SSL_REASONS_FOR_NOT_FALSE_STARTING", + "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX", + "SSL_SYMMETRIC_CIPHER_FULL", + "SSL_SYMMETRIC_CIPHER_RESUMED", "SSL_TLS10_INTOLERANCE_REASON_POST", "SSL_TLS10_INTOLERANCE_REASON_PRE", "SSL_TLS11_INTOLERANCE_REASON_POST", @@ -707,6 +737,7 @@ "TELEMETRY_TEST_RELEASE_OPTOUT", "THUNDERBIRD_GLODA_SIZE_MB", "THUNDERBIRD_INDEXING_RATE_MSG_PER_S", + "TLS_ERROR_REPORT_UI", "TOTAL_COUNT_HIGH_ERRORS", "TOTAL_COUNT_LOW_ERRORS", "TRANSLATED_CHARACTERS", @@ -855,6 +886,8 @@ "DEVTOOLS_HEAP_SNAPSHOT_NODE_COUNT", "DEVTOOLS_HEAP_SNAPSHOT_EDGE_COUNT", "NETWORK_CACHE_HIT_RATE_PER_CACHE_SIZE", + "SSL_CIPHER_SUITE_FULL", + "SSL_CIPHER_SUITE_RESUMED", "SSL_HANDSHAKE_RESULT", "SSL_HANDSHAKE_RESULT_FIRST_TRY", "SSL_HANDSHAKE_RESULT_CONSERVATIVE", @@ -880,6 +913,7 @@ "FX_THUMBNAILS_BG_CAPTURE_DONE_REASON_2", "TRANSLATED_PAGES", "FX_SESSION_RESTORE_SEND_UPDATE_CAUSED_OOM", + "SSL_PERMANENT_CERT_ERROR_OVERRIDES", "FX_THUMBNAILS_BG_QUEUE_SIZE_ON_CAPTURE", "AUTO_REJECTED_TRANSLATION_OFFERS", "TRANSLATED_CHARACTERS", @@ -890,6 +924,7 @@ "FX_THUMBNAILS_BG_CAPTURE_QUEUE_TIME_MS", "NEWTAB_PAGE_PINNED_SITES_COUNT", "WEAVE_COMPLETE_SUCCESS_COUNT", + "CERT_CHAIN_KEY_SIZE_STATUS", "CHANGES_OF_TARGET_LANGUAGE", "TRANSLATION_OPPORTUNITIES", "NEWTAB_PAGE_BLOCKED_SITES_COUNT",