crypto: update root certificates

[bnoordhuis]

R=@nodejs/crypto

See also #1261

CI: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/724/

[indutny]

@bnoordhuis https://hg.mozilla.org/mozilla-central/raw-file/1a2a200aeb40/security/nss/lib/ckfw/builtins/certdata.txt - replies with 404.

[shigeki]

opt_t and opt_s in mk-ca-bundle.pl are not necessary because they are used for the output of ca-bundle.crt.

$ ./mk-ca-bundle.pl -t
unable to load certificate
140323113272992:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Couldn't close openssl pipe:  at ./mk-ca-bundle.pl line 290, <TXT> line 195.

Otherwize, make test-internet is fine and I also made a test of tls connection to s3.amazonaws.com and it is no problem. LGTM.

I will remove test/internet/test-tls-connnect-melissadata.js that was created in d8c4a93 after updated.

As for this updating root certs, what shoudl we do for CNNNIC whitelist?
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

Firefox and Chrome obtain serials of issued certs and checking them during cert verifying.
Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1151512
Chrome: https://codereview.chromium.org/1042973002 , https://codereview.chromium.org/1067723002

I incline not to do it because

• iojs is not a browser.
• We can only maintain its white list by looking at Firefox/Chrome repository.
• I worry about performance overhead for checking CNNNIC rootCA serials at every TLS handshake.

[bnoordhuis]

@indutny Don't know how I ended up pasting a bad link... the right one is https://hg.mozilla.org/mozilla-central/raw-file/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt - I'll update the commit log before I land this.

@shigeki

opt_t and opt_s in mk-ca-bundle.pl are not necessary

I tried to keep the delta with upstream as small as possible, to make future updates easier, that's why I left in some cruft. Basically all I did was remove the auto-downloading code.

what shoudl we do for CNNNIC whitelist?

I personally wouldn't mind the whitelisting approach. I don't think the overhead is going to be terrible when it's implemented as a simple binary search over a static array.

The only issue I see is tracking whitelist updates. Either we do it manually from time to time like we do for the root certificates or it has to be scripted into the release process somehow.