-
Notifications
You must be signed in to change notification settings - Fork 7.3k
src: re-add 1024-bit SSL certs removed by f9456a2 #8904
Conversation
this fixes a problem where connecting to AWS services would report an untrusted cert error.
0d5b3ba
to
8bf6376
Compare
I haven't looked in details to all the certs that f9456a2 removes from Mozilla uses an interesting tests suite that goes through a lot of domains and tests for SSL errors. I wonder if we could use some variant of that before making such changes in the future. |
I added back the certs that were specifically mentioned by this blog post, because mozilla had clarified their intent behind removing them there & it was easy to verify. The only cert I didn't add back of that set was the SECOM ValiCert one because I couldn't verify the fingerprint. Since I do not know what the intent was behind dropping the other certs, I did not feel safe adding them back in. It would be good to determine why those were dropped, but this PR was scoped to just replacing the 1024-bit certs that mozilla dropped as an fix for users connecting to AWS. EDIT: that said, if we have time before cutting a release we should ensure that the other certs can be omitted. For other readers, some more context behind this: this is a change to a generated file. The long term fix will almost certainly involve changing the perl script to also include grandfathered certs. |
@chrisdickinson Ok, thanks for the clarification! @indutny @bnoordhuis, do you know why these other certificates were dropped? |
@misterdjules Various reasons, see here. |
@bnoordhuis Thank you for the link! @chrisdickinson Indeed, I think we should make sure that other certs can be omitted. Mozilla doesn't use the same SSL/TLS implementation, and what works for them doesn't necessarily always works for us as we've seen recently. It's not clear though how we can test these changes thoroughly now. We could try to use Mozilla's tests suite, but it would certainly require some work that is difficult to estimate. I would suggest reverting f9456a2 until we can test changes we make to the trusted certificates, or have a release candidate for the next stable release that could be tested in the wild before it gets actually released. |
Merged in 1425ccd. |
Version bump. Deals primarily with the issue of Node refusing connections to AWS services based on untrusted certs as of the last release. See nodejs/node-v0.x-archive#8904 for detail. Closes #35223. Signed-off-by: Jack Nagel <jacknagel@gmail.com>
this fixes a problem where connecting to AWS services would report an untrusted cert error. Fixes: nodejs#8894 PR-URL: nodejs#8904 Reviewed-By: Timothy J Fontaine <tjfontaine@gmail.com> Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
this fixes a problem where connecting to AWS services would report an untrusted cert error. Fixes: nodejs#8894 PR-URL: nodejs#8904 Reviewed-By: Timothy J Fontaine <tjfontaine@gmail.com> Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
this fixes a problem where connecting to AWS services
would report an untrusted cert error.
This partially reverts f9456a2.
The ValiCert Class 1 VA is commented out because I was unable to verify it manually.