New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update root certs with NSS 3.41, and document the process #25113

Closed
wants to merge 3 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@sam-github
Copy link
Member

sam-github commented Dec 18, 2018

One question about the process: do root certs always get backported? I think so, so should the final step in the process involve any labelling of the PR to indicate request-to-backport/cherry-pick into LTS branches?

/to @bnoordhuis @shigeki

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@sam-github sam-github requested a review from bnoordhuis Dec 18, 2018

@sam-github sam-github force-pushed the sam-github:certdata-3.41 branch from ab91dbe to 0fc672b Dec 18, 2018

@bnoordhuis
Copy link
Member

bnoordhuis left a comment

LGTM. Good writeup, Sam. There's a typo in the URL in the first commit, it's missing the first 't' in certdata.txt.

@BridgeAR

This comment has been minimized.

sam-github added some commits Dec 18, 2018

tools: update certdata.txt
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

@sam-github sam-github force-pushed the sam-github:certdata-3.41 branch 2 times, most recently from 4e73e85 to b5ca978 Dec 20, 2018

@sam-github sam-github force-pushed the sam-github:certdata-3.41 branch from b5ca978 to cc6aa02 Dec 20, 2018

@sam-github

This comment has been minimized.

@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Dec 21, 2018

Landed in 4ac1702...845fdd0

@addaleax addaleax closed this Dec 21, 2018

addaleax added a commit that referenced this pull request Dec 21, 2018

tools: update certdata.txt
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

addaleax added a commit that referenced this pull request Dec 21, 2018

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

addaleax added a commit that referenced this pull request Dec 21, 2018

doc: describe root cert update process
PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

@sam-github sam-github deleted the sam-github:certdata-3.41 branch Dec 21, 2018

@bnoordhuis

This comment has been minimized.

Copy link
Member

bnoordhuis commented Dec 24, 2018

One question about the process: do root certs always get backported?

Sorry, forgot to answer this. The answer is 'mostly' - there have been some certificate changes that we didn't backport in the past for fear of disruption (deprecation/removal of 1024 bits RSA certs was one.)

MylesBorins added a commit that referenced this pull request Dec 25, 2018

tools: update certdata.txt
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

MylesBorins added a commit that referenced this pull request Dec 25, 2018

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

MylesBorins added a commit that referenced this pull request Dec 25, 2018

doc: describe root cert update process
PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

MylesBorins added a commit that referenced this pull request Dec 25, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

@MylesBorins MylesBorins referenced this pull request Dec 25, 2018

Merged

v11.6.0 proposal #25175

MylesBorins added a commit that referenced this pull request Dec 26, 2018

tools: update certdata.txt
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

MylesBorins added a commit that referenced this pull request Dec 26, 2018

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

MylesBorins added a commit that referenced this pull request Dec 26, 2018

doc: describe root cert update process
PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

tools: update certdata.txt
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on 2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: nodejs#25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

crypto: update root certificates
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

PR-URL: nodejs#25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

doc: describe root cert update process
PR-URL: nodejs#25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    nodejs#24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    nodejs#24234
  - add key object API (Tobias Nießen) [nodejs#24234](nodejs#24234)
  - update root certificates (Sam Roberts)
    nodejs#25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    nodejs#25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    nodejs#24734
* http:
  - add maxHeaderSize property (cjihrig)
    nodejs#24860

PR-URL: nodejs#25175
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment