-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: update root certificates #12402
Conversation
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
largely rubber stamp LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, rubberstamp.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. This is the same as the one included in Firefox53 to be released next week.
NSS 3.31 is included in Firefox55 to be stable on 2017-08-08. https://bugzilla.mozilla.org/show_bug.cgi?id=1345368
@nodejs/lts @bnoordhuis will you backport to LTS as well? Do we consistently backport the root updates? They are potentially semver-major... but they are also security updates, and if a CA is invalidated, maybe your code should break. |
@sam-github We back-port after due deliberation. E.g., we added back some transitional 1024 RSA certificates last time for compatibility reasons. |
@sam-github to follow up on @bnoordhuis comments... ideally this would sit in a current release for a couple of weeks before we look at backporting to LTS. |
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Landed in abe0375 and 6331b63 |
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Opting to leave this until the next v6.x (to bake some more), LMK if there's a need to land it sooner. |
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: nodejs#12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Backporters, this should land together with #13279. |
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This does not land cleanly on v4.x Could someone who is familiar with the certs please submit a backport |
backported: #14482 |
This LTS release comes with 221 commits. This includes 80 which are test related, 52 which are doc related, 32 which are build / tool related and 10 commits which are updates to dependencies. Notable Changes: * configure: - add mips64el to valid_arch (Aditya Anand) - #13620 * crypto: - Updated root certificates based on [NSS 3.30] (Ben Noordhuis) - #13279 - #12402 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes * deps: - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu) - #12913 * http: - parse errors are now reported when NODE_DEBUG=http (Sam Roberts) - #13206 - Agent construction can now be envoked without `new` (cjihrig) - #12927 * zlib: - node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (Alexey Orlenko) - #13098 PR-URL: #14356
This LTS release comes with 221 commits. This includes 80 which are test related, 52 which are doc related, 32 which are build / tool related and 10 commits which are updates to dependencies. Notable Changes: * configure: - add mips64el to valid_arch (Aditya Anand) - #13620 * crypto: - Updated root certificates based on [NSS 3.30] (Ben Noordhuis) - #13279 - #12402 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes * deps: - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu) - #12913 * http: - parse errors are now reported when NODE_DEBUG=http (Sam Roberts) - #13206 - Agent construction can now be envoked without `new` (cjihrig) - #12927 * zlib: - node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (Alexey Orlenko) - #13098 PR-URL: #14356
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Notable Changes: * **crypto**: - update root certificates (Ben Noordhuis) #13279 - update root certificates (Ben Noordhuis) #12402 * **deps**: - add support for more modern versions of INTL (Bruno Pagani) #13040 - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691 - upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233 PR-URL: #16500
Notable Changes: * **crypto**: - update root certificates (Ben Noordhuis) #13279 - update root certificates (Ben Noordhuis) #12402 * **deps**: - add support for more modern versions of INTL (Bruno Pagani) #13040 - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691 - upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233 PR-URL: #16500
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs/node#12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: nodejs/node#12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
I picked the certdata.txt from upstream NSS instead of downstream Firefox this time around in order to include the January CA updates.
If we end up delaying the node 8 release for a few weeks, we should consider upgrading to NSS 3.31 to include the March updates as well.
cc @nodejs/crypto, refs #12393.
CI: https://ci.nodejs.org/job/node-test-pull-request/7380/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/715/