Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: update root certificates #12402

Closed
wants to merge 2 commits into from

Conversation

bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented Apr 13, 2017

I picked the certdata.txt from upstream NSS instead of downstream Firefox this time around in order to include the January CA updates.

If we end up delaying the node 8 release for a few weeks, we should consider upgrading to NSS 3.31 to include the March updates as well.

cc @nodejs/crypto, refs #12393.

CI: https://ci.nodejs.org/job/node-test-pull-request/7380/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/715/

This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency. tls Issues and PRs related to the tls subsystem. tools Issues and PRs related to the tools directory. labels Apr 13, 2017
Copy link
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

largely rubber stamp LGTM

Copy link
Contributor

@cjihrig cjihrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, rubberstamp.

Copy link
Contributor

@shigeki shigeki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. This is the same as the one included in Firefox53 to be released next week.

NSS 3.31 is included in Firefox55 to be stable on 2017-08-08. https://bugzilla.mozilla.org/show_bug.cgi?id=1345368

@sam-github
Copy link
Contributor

@nodejs/lts @bnoordhuis will you backport to LTS as well? Do we consistently backport the root updates?

They are potentially semver-major... but they are also security updates, and if a CA is invalidated, maybe your code should break.

@bnoordhuis
Copy link
Member Author

@sam-github We back-port after due deliberation. E.g., we added back some transitional 1024 RSA certificates last time for compatibility reasons.

@jasnell
Copy link
Member

jasnell commented Apr 18, 2017

@sam-github to follow up on @bnoordhuis comments... ideally this would sit in a current release for a couple of weeks before we look at backporting to LTS.

jasnell pushed a commit that referenced this pull request Apr 18, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
jasnell pushed a commit that referenced this pull request Apr 18, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@jasnell
Copy link
Member

jasnell commented Apr 18, 2017

Landed in abe0375 and 6331b63

@jasnell jasnell closed this Apr 18, 2017
evanlucas pushed a commit that referenced this pull request Apr 25, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request Apr 25, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@evanlucas evanlucas mentioned this pull request May 1, 2017
evanlucas pushed a commit that referenced this pull request May 1, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request May 1, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request May 2, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request May 2, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@gibfahn gibfahn added the baking-for-lts PRs that need to wait before landing in a LTS release. label May 16, 2017
@gibfahn
Copy link
Member

gibfahn commented May 16, 2017

Opting to leave this until the next v6.x (to bake some more), LMK if there's a need to land it sooner.

jbunton-atlassian pushed a commit to jbunton-atlassian/node that referenced this pull request May 29, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: nodejs#12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@bnoordhuis
Copy link
Member Author

Backporters, this should land together with #13279.

MylesBorins pushed a commit that referenced this pull request Jul 14, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jul 14, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@MylesBorins MylesBorins removed baking-for-lts PRs that need to wait before landing in a LTS release. lts-watch-v6.x labels Jul 14, 2017
@MylesBorins
Copy link
Contributor

This does not land cleanly on v4.x

Could someone who is familiar with the certs please submit a backport

@sam-github
Copy link
Contributor

backported: #14482

MylesBorins added a commit that referenced this pull request Aug 1, 2017
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356
MylesBorins added a commit that referenced this pull request Aug 1, 2017
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356
MylesBorins pushed a commit that referenced this pull request Aug 16, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins pushed a commit that referenced this pull request Aug 16, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@MylesBorins MylesBorins mentioned this pull request Sep 20, 2017
MylesBorins pushed a commit that referenced this pull request Oct 25, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins pushed a commit that referenced this pull request Oct 25, 2017
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@MylesBorins MylesBorins mentioned this pull request Oct 25, 2017
MylesBorins added a commit that referenced this pull request Nov 6, 2017
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500
MylesBorins added a commit that referenced this pull request Nov 7, 2017
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500
abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this pull request May 5, 2024
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: nodejs/node#12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this pull request May 5, 2024
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: nodejs/node#12402
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency. tls Issues and PRs related to the tls subsystem. tools Issues and PRs related to the tools directory.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants