New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: update root certificates #12402

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
8 participants
@bnoordhuis
Member

bnoordhuis commented Apr 13, 2017

I picked the certdata.txt from upstream NSS instead of downstream Firefox this time around in order to include the January CA updates.

If we end up delaying the node 8 release for a few weeks, we should consider upgrading to NSS 3.31 to include the March updates as well.

cc @nodejs/crypto, refs #12393.

CI: https://ci.nodejs.org/job/node-test-pull-request/7380/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/715/

bnoordhuis added some commits Apr 13, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt
crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana
@jasnell

largely rubber stamp LGTM

@cjihrig

Also, rubberstamp.

@shigeki

LGTM. This is the same as the one included in Firefox53 to be released next week.

NSS 3.31 is included in Firefox55 to be stable on 2017-08-08. https://bugzilla.mozilla.org/show_bug.cgi?id=1345368

@ghost

ghost approved these changes Apr 14, 2017

@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Apr 17, 2017

Member

@nodejs/lts @bnoordhuis will you backport to LTS as well? Do we consistently backport the root updates?

They are potentially semver-major... but they are also security updates, and if a CA is invalidated, maybe your code should break.

Member

sam-github commented Apr 17, 2017

@nodejs/lts @bnoordhuis will you backport to LTS as well? Do we consistently backport the root updates?

They are potentially semver-major... but they are also security updates, and if a CA is invalidated, maybe your code should break.

@bnoordhuis

This comment has been minimized.

Show comment
Hide comment
@bnoordhuis

bnoordhuis Apr 18, 2017

Member

@sam-github We back-port after due deliberation. E.g., we added back some transitional 1024 RSA certificates last time for compatibility reasons.

Member

bnoordhuis commented Apr 18, 2017

@sam-github We back-port after due deliberation. E.g., we added back some transitional 1024 RSA certificates last time for compatibility reasons.

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Apr 18, 2017

Member

@sam-github to follow up on @bnoordhuis comments... ideally this would sit in a current release for a couple of weeks before we look at backporting to LTS.

Member

jasnell commented Apr 18, 2017

@sam-github to follow up on @bnoordhuis comments... ideally this would sit in a current release for a couple of weeks before we look at backporting to LTS.

jasnell added a commit that referenced this pull request Apr 18, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

jasnell added a commit that referenced this pull request Apr 18, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Apr 18, 2017

Member

Landed in abe0375 and 6331b63

Member

jasnell commented Apr 18, 2017

Landed in abe0375 and 6331b63

@jasnell jasnell closed this Apr 18, 2017

evanlucas added a commit that referenced this pull request Apr 25, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

evanlucas added a commit that referenced this pull request Apr 25, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

@evanlucas evanlucas referenced this pull request May 1, 2017

Merged

v7.10.0 proposal #12775

evanlucas added a commit that referenced this pull request May 1, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

evanlucas added a commit that referenced this pull request May 1, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

evanlucas added a commit that referenced this pull request May 2, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

evanlucas added a commit that referenced this pull request May 2, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@gibfahn

This comment has been minimized.

Show comment
Hide comment
@gibfahn

gibfahn May 16, 2017

Member

Opting to leave this until the next v6.x (to bake some more), LMK if there's a need to land it sooner.

Member

gibfahn commented May 16, 2017

Opting to leave this until the next v6.x (to bake some more), LMK if there's a need to land it sooner.

jbunton-atlassian added a commit to jbunton-atlassian/node that referenced this pull request May 29, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: nodejs#12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@bnoordhuis

This comment has been minimized.

Show comment
Hide comment
@bnoordhuis

bnoordhuis May 30, 2017

Member

Backporters, this should land together with #13279.

Member

bnoordhuis commented May 30, 2017

Backporters, this should land together with #13279.

MylesBorins added a commit that referenced this pull request Jul 14, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

MylesBorins added a commit that referenced this pull request Jul 14, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@MylesBorins

This comment has been minimized.

Show comment
Hide comment
@MylesBorins

MylesBorins Jul 15, 2017

Member

This does not land cleanly on v4.x

Could someone who is familiar with the certs please submit a backport

Member

MylesBorins commented Jul 15, 2017

This does not land cleanly on v4.x

Could someone who is familiar with the certs please submit a backport

@MylesBorins MylesBorins referenced this pull request Jul 18, 2017

Merged

v6.11.2 proposal #14356

@sam-github sam-github referenced this pull request Jul 25, 2017

Closed

V4.x backport 12402 and 13279 #14482

0 of 4 tasks complete
@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Jul 25, 2017

Member

backported: #14482

Member

sam-github commented Jul 25, 2017

backported: #14482

MylesBorins added a commit that referenced this pull request Aug 1, 2017

2017-08-01, Version 6.11.2 'Boron' (LTS)
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356

MylesBorins added a commit that referenced this pull request Aug 1, 2017

2017-08-01, Version 6.11.2 'Boron' (LTS)
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356

MylesBorins added a commit that referenced this pull request Aug 16, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

MylesBorins added a commit that referenced this pull request Aug 16, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

@MylesBorins MylesBorins referenced this pull request Sep 20, 2017

Closed

v4.8.5 proposal #15507

MylesBorins added a commit that referenced this pull request Oct 25, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

MylesBorins added a commit that referenced this pull request Oct 25, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

@MylesBorins MylesBorins referenced this pull request Oct 25, 2017

Merged

v4.8.6 proposal #16500

MylesBorins added a commit that referenced this pull request Nov 6, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

MylesBorins added a commit that referenced this pull request Nov 6, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500

MylesBorins added a commit that referenced this pull request Nov 7, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500

@abernix abernix referenced this pull request Nov 7, 2017

Merged

Release 1.5.4 #9320

msoechting added a commit to hpicgs/node that referenced this pull request Feb 7, 2018

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    nodejs#13279
  - update root certificates (Ben Noordhuis)
    nodejs#12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    nodejs#13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    nodejs#16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    nodejs#13233

PR-URL: nodejs#16500
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment