Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update root certs with NSS 3.41, and document the process #25113

Closed
wants to merge 3 commits into from
Closed

Update root certs with NSS 3.41, and document the process #25113

wants to merge 3 commits into from

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented Dec 18, 2018
edited
Loading

One question about the process: do root certs always get backported? I think so, so should the final step in the process involve any labelling of the PR to indicate request-to-backport/cherry-pick into LTS branches?

/to @bnoordhuis @shigeki

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

@sam-github build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1995/pipeline

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Dec 18, 2018
@sam-github sam-github mentioned this pull request Dec 18, 2018
Closed
bnoordhuis
bnoordhuis approved these changes Dec 20, 2018
View reviewed changes
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Good writeup, Sam. There's a typo in the URL in the first commit, it's missing the first 't' in certdata.txt.

@BridgeAR
Copy link
Member

CI https://ci.nodejs.org/job/node-test-pull-request/19691/

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Dec 20, 2018
@sam-github
tools: update certdata.txt
1895d3d 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
@sam-github
crypto: update root certificates
71c2b7e 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
@sam-github sam-github force-pushed the certdata-3.41 branch 2 times, most recently from 4e73e85 to b5ca978 Compare December 20, 2018 17:24
@sam-github
Copy link
Contributor Author

ci: https://ci.nodejs.org/job/node-test-pull-request/19697/

@addaleax
Copy link
Member

Landed in 4ac1702...845fdd0

@addaleax addaleax closed this Dec 21, 2018
addaleax pushed a commit that referenced this pull request Dec 21, 2018
@sam-github @addaleax
tools: update certdata.txt
3535a87 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
addaleax pushed a commit that referenced this pull request Dec 21, 2018
@sam-github @addaleax
crypto: update root certificates
7d6f3a5 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
addaleax pushed a commit that referenced this pull request Dec 21, 2018
@sam-github @addaleax
doc: describe root cert update process
845fdd0 
PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@sam-github sam-github deleted the certdata-3.41 branch December 21, 2018 16:15
@bnoordhuis
Copy link
Member

One question about the process: do root certs always get backported?

Sorry, forgot to answer this. The answer is 'mostly' - there have been some certificate changes that we didn't backport in the past for fear of disruption (deprecation/removal of 1024 bits RSA certs was one.)

MylesBorins pushed a commit that referenced this pull request Dec 25, 2018
@sam-github @MylesBorins
tools: update certdata.txt
66b5c3b 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins pushed a commit that referenced this pull request Dec 25, 2018
@sam-github @MylesBorins
crypto: update root certificates
cd04a54 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins pushed a commit that referenced this pull request Dec 25, 2018
@sam-github @MylesBorins
doc: describe root cert update process
972b056 
PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins added a commit that referenced this pull request Dec 25, 2018
@MylesBorins
2018-12-26, Version 11.6.0 (Current)
f59e73b 
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175
MylesBorins added a commit that referenced this pull request Dec 26, 2018
@MylesBorins
2018-12-26, Version 11.6.0 (Current)
e01999d 
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175
refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
@sam-github @refack
tools: update certdata.txt
8bb9eb0 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: nodejs#25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
@sam-github @refack
crypto: update root certificates
daa012e 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: nodejs#25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
@sam-github @refack
doc: describe root cert update process
f3bbbc7 
PR-URL: nodejs#25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
@MylesBorins @refack
2018-12-26, Version 11.6.0 (Current)
c842f7b 
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    nodejs#24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    nodejs#24234
  - add key object API (Tobias Nießen) [nodejs#24234](nodejs#24234)
  - update root certificates (Sam Roberts)
    nodejs#25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    nodejs#25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    nodejs#24734
* http:
  - add maxHeaderSize property (cjihrig)
    nodejs#24860

PR-URL: nodejs#25175
BethGriggs pushed a commit that referenced this pull request Apr 17, 2019
@sam-github @BethGriggs
tools: update certdata.txt
2f721c2 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Apr 17, 2019
@sam-github @BethGriggs
crypto: update root certificates
48101cf 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Apr 17, 2019
@sam-github @BethGriggs
doc: describe root cert update process
854867f 
PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Apr 28, 2019
@sam-github @BethGriggs
tools: update certdata.txt
7bb3808 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Apr 28, 2019
@sam-github @BethGriggs
crypto: update root certificates
6e8bc27 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Apr 28, 2019
@sam-github @BethGriggs
doc: describe root cert update process
a5c77c1 
PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@BethGriggs BethGriggs mentioned this pull request May 1, 2019
Merged
BethGriggs pushed a commit that referenced this pull request May 10, 2019
@sam-github @BethGriggs
tools: update certdata.txt
330fce4 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request May 10, 2019
@sam-github @BethGriggs
crypto: update root certificates
7292ed3 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request May 10, 2019
@sam-github @BethGriggs
doc: describe root cert update process
451d811 
PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins pushed a commit that referenced this pull request May 16, 2019
@sam-github @MylesBorins
tools: update certdata.txt
6e329a8 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins pushed a commit that referenced this pull request May 16, 2019
@sam-github @MylesBorins
crypto: update root certificates
a0dc65d 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins pushed a commit that referenced this pull request May 16, 2019
@sam-github @MylesBorins
doc: describe root cert update process
c571e9e 
PR-URL: #25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
This was referenced May 29, 2019
Closed
Closed
Closed
Closed
Closed
bnoordhuis pushed a commit to bnoordhuis/io.js that referenced this pull request Aug 15, 2019
@sam-github @bnoordhuis
tools: update certdata.txt
9dd2a78 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: nodejs#25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
bnoordhuis pushed a commit to bnoordhuis/io.js that referenced this pull request Aug 15, 2019
@sam-github @bnoordhuis
crypto: update root certificates
de5d023 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: nodejs#25113
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Sep 19, 2019
@sam-github @BethGriggs
tools: update certdata.txt
529b2ad 
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Backport-PR-URL: #29137
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BethGriggs pushed a commit that referenced this pull request Sep 19, 2019
@sam-github @BethGriggs
crypto: update root certificates
b2a6b32 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Backport-PR-URL: #29137
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@BethGriggs BethGriggs mentioned this pull request Sep 19, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vsemozhetbyt vsemozhetbyt vsemozhetbyt left review comments

@BridgeAR BridgeAR BridgeAR approved these changes

@jasnell jasnell jasnell approved these changes

@bnoordhuis bnoordhuis bnoordhuis approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@sam-github @nodejs-github-bot @BridgeAR @addaleax @bnoordhuis @jasnell @vsemozhetbyt