New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: update root certificates #13279

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@bnoordhuis
Member

bnoordhuis commented May 29, 2017

Refs #12402 and particularly this comment:

If we end up delaying the node 8 release for a few weeks, we should consider upgrading to NSS 3.31 to include the March updates as well.

3.31 won't be released until next month but 3.30 is here and is what ships in Firefox 54.

Certificates added:

  • TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:

  • ApplicationCA - Japanese Government
  • Microsec e-Szigno Root CA
  • TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  • WellsSecure Public Root Certificate Authority

Ideally this should go into 8.0.0. cc @nodejs/crypto @jasnell

CI: https://ci.nodejs.org/job/node-test-pull-request/8357/

bnoordhuis added some commits May 29, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt
crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority
@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell May 29, 2017

Member

This would have to be fast tracked and landed today in order to make it in to 8.0.0.

Side note: we really need to be more diligent about not pushing these types of things in at the last minute. The release was delayed a month and things are still coming in last minute.

Member

jasnell commented May 29, 2017

This would have to be fast tracked and landed today in order to make it in to 8.0.0.

Side note: we really need to be more diligent about not pushing these types of things in at the last minute. The release was delayed a month and things are still coming in last minute.

@jasnell jasnell added this to the 8.0.0 milestone May 29, 2017

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell May 29, 2017

Member

Given the signoff and the green CI, I'm going to land this so that I can get it into 8.0.0

Member

jasnell commented May 29, 2017

Given the signoff and the green CI, I'm going to land this so that I can get it into 8.0.0

jasnell added a commit that referenced this pull request May 29, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

jasnell added a commit that referenced this pull request May 29, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell May 29, 2017

Member

Landed in d302827 and 58af75e

Member

jasnell commented May 29, 2017

Landed in d302827 and 58af75e

@jasnell jasnell closed this May 29, 2017

jasnell added a commit that referenced this pull request May 29, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

jasnell added a commit that referenced this pull request May 29, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

@bnoordhuis bnoordhuis deleted the bnoordhuis:update-root-certs branch May 30, 2017

@gibfahn

This comment has been minimized.

Show comment
Hide comment
@gibfahn

gibfahn May 30, 2017

Member

Should land with #12402, see #12402 (comment)

Member

gibfahn commented May 30, 2017

Should land with #12402, see #12402 (comment)

MylesBorins added a commit that referenced this pull request Jul 14, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

MylesBorins added a commit that referenced this pull request Jul 14, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

@MylesBorins MylesBorins referenced this pull request Jul 18, 2017

Merged

v6.11.2 proposal #14356

@sam-github sam-github referenced this pull request Jul 25, 2017

Closed

V4.x backport 12402 and 13279 #14482

0 of 4 tasks complete
@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Jul 25, 2017

Member

backported: #14482

Member

sam-github commented Jul 25, 2017

backported: #14482

MylesBorins added a commit that referenced this pull request Aug 1, 2017

2017-08-01, Version 6.11.2 'Boron' (LTS)
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356

MylesBorins added a commit that referenced this pull request Aug 1, 2017

2017-08-01, Version 6.11.2 'Boron' (LTS)
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356

MylesBorins added a commit that referenced this pull request Aug 16, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

MylesBorins added a commit that referenced this pull request Aug 16, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

@refack refack referenced this pull request Aug 29, 2017

Closed

Why do you trust CNNIC? #15073

@MylesBorins MylesBorins referenced this pull request Sep 20, 2017

Closed

v4.8.5 proposal #15507

MylesBorins added a commit that referenced this pull request Oct 25, 2017

tools: update certdata.txt
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

MylesBorins added a commit that referenced this pull request Oct 25, 2017

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

@MylesBorins MylesBorins referenced this pull request Oct 25, 2017

Merged

v4.8.6 proposal #16500

MylesBorins added a commit that referenced this pull request Nov 6, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

MylesBorins added a commit that referenced this pull request Nov 6, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500

MylesBorins added a commit that referenced this pull request Nov 7, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500

@abernix abernix referenced this pull request Nov 7, 2017

Merged

Release 1.5.4 #9320

msoechting added a commit to hpicgs/node that referenced this pull request Feb 7, 2018

2017-11-07, Version 4.8.6 'Argon' (Maintenance)
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    nodejs#13279
  - update root certificates (Ben Noordhuis)
    nodejs#12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    nodejs#13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    nodejs#16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    nodejs#13233

PR-URL: nodejs#16500
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment