-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: distrust trustcor ca certificates #45762
Comments
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ suggests that Mozilla are not going to be removing these from the root certs for a while yet but will be distrusting them. I think that's an area where there's a gap in Node.js -- we take the root certs from NSS but I don't think we have any additional logic on top of that (fairly certain that has come up in the past). |
It looks like https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c9 is the NSS change. That is to the root certs so maybe we either update to a non-release version of NSS or float the patch onto our certdata.txt and regenerate the header file? I'm not sure that |
We've done that at least once in the past, when we started distrusting certain (but not all) CNNIc certificates in commit 3beb880. mk-ca-bundle.pl does not understand "distrust after" fields, of that I'm fairly sure (and neither does node.) |
As a reference point, our |
Ubuntu is dropping TrustCor altogether: https://ubuntu.com/security/notices/USN-5761-2 I like that better than the idea of adding custom code for a shifty CA. |
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: nodejs#45762 Refs: https://ubuntu.com/security/notices/USN-5761-2
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: nodejs#45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: nodejs#45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
https://www.theregister.com/2022/12/02/mozilla_microsoft_trustcor/ for a summary and https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ for more details.
tl;dr Microsoft and Mozilla now distrust TrustCor-issued certificates; Microsoft uses a Nov 1 cutoff data, Mozilla Nov 30. I suggest we use Nov 1, too.
Currently still trusted:
cc @nodejs/crypto
The text was updated successfully, but these errors were encountered: