Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: remove expired DST Root CA X3 #31219

Merged
merged 2 commits into from Oct 1, 2021
Merged

fix: remove expired DST Root CA X3 #31219

merged 2 commits into from Oct 1, 2021

Conversation

@deepak1556
Copy link
Member

@deepak1556 deepak1556 commented Sep 30, 2021

Description of Change

Alternative targeted fix for stable branch lines while the boringssl change is explored in main and beta branches.

Refs https://bugs.chromium.org/p/boringssl/issues/detail?id=439#c2

Checklist

Release Notes

Notes: Remove expired DST Root CA X3 from the bundled trust store

@deepak1556
Copy link
Member Author

@deepak1556 deepak1556 commented Oct 1, 2021

Failing test are unrelated, merging

Loading

@deepak1556 deepak1556 merged commit 9407a3e into 15-x-y Oct 1, 2021
15 of 18 checks passed
Loading
@deepak1556 deepak1556 deleted the robo/rm_expired_root_cert branch Oct 1, 2021
@release-clerk
Copy link

@release-clerk release-clerk bot commented Oct 1, 2021

Release Notes Persisted

Remove expired DST Root CA X3 from the bundled trust store

Loading

@wartab
Copy link

@wartab wartab commented Oct 8, 2021

Would it be possible to make an Electron 14 release with this patch?

Or is the following patch that got reverted sufficient? #31216

Loading

@deepak1556
Copy link
Member Author

@deepak1556 deepak1556 commented Oct 8, 2021

The fix available via 14.1.0 is sufficient, this just reverts to a less obtrusive fix on the stable release lines. So this will be available on next update to Electron 14, but there should be no behavior difference between the two.

Loading

@quanglam2807
Copy link

@quanglam2807 quanglam2807 commented Oct 8, 2021

Thanks for the clarification, @deepak1556. I'm currently running 13.5.1 and it seems like the bug is also fixed with #31216. But a user reported error: ERR_CERT_DATE_INVALID. I checked https://bugs.chromium.org/p/boringssl/issues/detail?id=439#c2
and TRUSTED_FIRST can break other scenarios was mentioned. Could it be a degradation caused by #31216 and this fix is actually better?

image0

Loading

@deepak1556
Copy link
Member Author

@deepak1556 deepak1556 commented Oct 8, 2021

@quanglam2807 can you open an issue with minimal repro, it would help to confirm if there was a regression. If repro is not available, can you collect the network trace by launching the app with --log-net-log=<some-absolute-path>/netlog.json and perform the failing request. The log will be available once the app is quit.

Loading

@quanglam2807
Copy link

@quanglam2807 quanglam2807 commented Oct 8, 2021

@deed02392 I'm sorry but I couldn't reproduce the bug on my Mac and the user is not technical-savvy so it'd be difficult to ask for the network trace. If I upgrade from electron@13.5.1 to electron@15.1.1 and it works, maybe we can then make the conclusion? Or is anything better I can do?

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants