Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: distrust trustcor ca certificates #45762

Closed
bnoordhuis opened this issue Dec 6, 2022 · 5 comments · Fixed by #45776
Closed

tls: distrust trustcor ca certificates #45762

bnoordhuis opened this issue Dec 6, 2022 · 5 comments · Fixed by #45776
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@bnoordhuis
Copy link
Member

https://www.theregister.com/2022/12/02/mozilla_microsoft_trustcor/ for a summary and https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ for more details.

tl;dr Microsoft and Mozilla now distrust TrustCor-issued certificates; Microsoft uses a Nov 1 cutoff data, Mozilla Nov 30. I suggest we use Nov 1, too.

Currently still trusted:

$ git rev-parse @
ab064d12b79d14a3d02ba420138cc9d24169a951

$ git grep -i trustcor src/node_root_certs.h 
src/node_root_certs.h:/* TrustCor RootCert CA-1 */
src/node_root_certs.h:/* TrustCor RootCert CA-2 */
src/node_root_certs.h:/* TrustCor ECA-1 */

cc @nodejs/crypto

@bnoordhuis bnoordhuis added the tls Issues and PRs related to the tls subsystem. label Dec 6, 2022
@richardlau
Copy link
Member

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ suggests that Mozilla are not going to be removing these from the root certs for a while yet but will be distrusting them. I think that's an area where there's a gap in Node.js -- we take the root certs from NSS but I don't think we have any additional logic on top of that (fairly certain that has come up in the past).

@richardlau
Copy link
Member

richardlau commented Dec 6, 2022

It looks like https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c9 is the NSS change. That is to the root certs so maybe we either update to a non-release version of NSS or float the patch onto our certdata.txt and regenerate the header file? I'm not sure that mk-ca-bundle.pl would preserve CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL (and/or CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL) much less Node.js knowing what to do with it.

@bnoordhuis
Copy link
Member Author

we take the root certs from NSS but I don't think we have any additional logic on top of that (fairly certain that has come up in the past)

We've done that at least once in the past, when we started distrusting certain (but not all) CNNIc certificates in commit 3beb880.

mk-ca-bundle.pl does not understand "distrust after" fields, of that I'm fairly sure (and neither does node.)

@richardlau
Copy link
Member

As a reference point, our mk-ca-bundle.pl is based on the script of the same name from curl and the current version of that parses the CKA_NSS_SERVER_DISTRUST_AFTER field and skips it if the date is in the past: curl/curl@1ebc53d

@bnoordhuis
Copy link
Member Author

Ubuntu is dropping TrustCor altogether: https://ubuntu.com/security/notices/USN-5761-2

I like that better than the idea of adding custom code for a shifty CA.

bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue Dec 7, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: nodejs#45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
nodejs-github-bot pushed a commit that referenced this issue Dec 10, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
ErickWendel pushed a commit to ErickWendel/node that referenced this issue Dec 12, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: nodejs#45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: nodejs#45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
targos pushed a commit that referenced this issue Dec 12, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
targos pushed a commit that referenced this issue Dec 13, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this issue Dec 30, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this issue Dec 30, 2022
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this issue Jan 3, 2023
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this issue Jan 4, 2023
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this issue Jan 5, 2023
Follow what Ubuntu did and simply remove the CA certificates
altogether.

Fixes: #45762
Refs: https://ubuntu.com/security/notices/USN-5761-2
PR-URL: #45776
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants