Skip to content

crypto: update root certificates#13279

Closed
bnoordhuis wants to merge 2 commits intonodejs:masterfrom
bnoordhuis:update-root-certs
Closed

crypto: update root certificates#13279
bnoordhuis wants to merge 2 commits intonodejs:masterfrom
bnoordhuis:update-root-certs

Conversation

@bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented May 29, 2017
edited
Loading

Refs #12402 and particularly this comment:

If we end up delaying the node 8 release for a few weeks, we should consider upgrading to NSS 3.31 to include the March updates as well.

3.31 won't be released until next month but 3.30 is here and is what ships in Firefox 54.

Certificates added:

  • TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:

  • ApplicationCA - Japanese Government
  • Microsec e-Szigno Root CA
  • TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  • WellsSecure Public Root Certificate Authority

Ideally this should go into 8.0.0. cc @nodejs/crypto @jasnell

CI: https://ci.nodejs.org/job/node-test-pull-request/8357/

bnoordhuis added 2 commits May 29, 2017 11:10
@bnoordhuis
tools: update certdata.txt
2475a16 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt
@bnoordhuis
crypto: update root certificates
1a416fb 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency. tls Issues and PRs related to the tls subsystem. tools Issues and PRs related to the tools directory. labels May 29, 2017
@jasnell
Copy link
Member

jasnell commented May 29, 2017

This would have to be fast tracked and landed today in order to make it in to 8.0.0.

Side note: we really need to be more diligent about not pushing these types of things in at the last minute. The release was delayed a month and things are still coming in last minute.

@jasnell jasnell added this to the 8.0.0 milestone May 29, 2017
@jasnell
Copy link
Member

jasnell commented May 29, 2017

Given the signoff and the green CI, I'm going to land this so that I can get it into 8.0.0

jasnell pushed a commit that referenced this pull request May 29, 2017
@bnoordhuis @jasnell
tools: update certdata.txt
d302827 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request May 29, 2017
@bnoordhuis @jasnell
crypto: update root certificates
58af75e 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@jasnell
Copy link
Member

jasnell commented May 29, 2017

Landed in d302827 and 58af75e

@jasnell jasnell closed this May 29, 2017
jasnell pushed a commit that referenced this pull request May 29, 2017
@bnoordhuis @jasnell
tools: update certdata.txt
bfa27d2 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request May 29, 2017
@bnoordhuis @jasnell
crypto: update root certificates
9fa1489 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@bnoordhuis bnoordhuis deleted the update-root-certs branch May 30, 2017 09:23
@bnoordhuis bnoordhuis mentioned this pull request May 30, 2017
Closed
@gibfahn gibfahn added baking-for-lts PRs that need to wait before landing in a LTS release. lts-watch-v6.x labels May 30, 2017
@gibfahn
Copy link
Member

gibfahn commented May 30, 2017

Should land with #12402, see #12402 (comment)

MylesBorins pushed a commit that referenced this pull request Jul 14, 2017
@bnoordhuis @MylesBorins
tools: update certdata.txt
f831015 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 14, 2017
@bnoordhuis @MylesBorins
crypto: update root certificates
1bfd177 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@MylesBorins MylesBorins added land-on-v6.x and removed lts-watch-v6.x baking-for-lts PRs that need to wait before landing in a LTS release. labels Jul 14, 2017
@MylesBorins MylesBorins mentioned this pull request Jul 18, 2017
Merged
@sam-github sam-github mentioned this pull request Jul 25, 2017
Closed
4 tasks
@sam-github
Copy link
Contributor

sam-github commented Jul 25, 2017

backported: #14482

MylesBorins added a commit that referenced this pull request Aug 1, 2017
@MylesBorins
2017-08-01, Version 6.11.2 'Boron' (LTS)
f15e124 
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356
MylesBorins added a commit that referenced this pull request Aug 1, 2017
@MylesBorins
2017-08-01, Version 6.11.2 'Boron' (LTS)
8a53897 
This LTS release comes with 221 commits. This includes 80 which are
test related, 52 which are doc related, 32 which are build / tool
related and 10 commits which are updates to dependencies.

Notable Changes:

* configure:
  - add mips64el to valid_arch (Aditya Anand)
    - #13620
* crypto:
  - Updated root certificates based on [NSS 3.30] (Ben Noordhuis)
    - #13279
    - #12402
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes
* deps:
  - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu)
    - #12913
* http:
  - parse errors are now reported when NODE_DEBUG=http (Sam Roberts)
    - #13206
  - Agent construction can now be envoked without `new` (cjihrig)
    - #12927
* zlib:
  - node will now throw an Error when zlib rejects the value of windowBits,
    instead of crashing (Alexey Orlenko)
    - #13098

PR-URL: #14356
MylesBorins pushed a commit that referenced this pull request Aug 16, 2017
@bnoordhuis @MylesBorins
tools: update certdata.txt
fdcfc4c 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Aug 16, 2017
@bnoordhuis @MylesBorins
crypto: update root certificates
fc6d118 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@refack refack mentioned this pull request Aug 29, 2017
Closed
@MylesBorins MylesBorins mentioned this pull request Sep 20, 2017
Closed
MylesBorins pushed a commit that referenced this pull request Oct 25, 2017
@bnoordhuis @MylesBorins
tools: update certdata.txt
07c912e 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Oct 25, 2017
@bnoordhuis @MylesBorins
crypto: update root certificates
210fa72 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@MylesBorins MylesBorins mentioned this pull request Oct 25, 2017
Merged
MylesBorins added a commit that referenced this pull request Nov 6, 2017
@MylesBorins
2017-11-07, Version 4.8.6 'Argon' (Maintenance)
449d60d 
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500
MylesBorins added a commit that referenced this pull request Nov 7, 2017
@MylesBorins
2017-11-07, Version 4.8.6 'Argon' (Maintenance)
16b1faa 
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500
@abernix abernix mentioned this pull request Nov 7, 2017
Merged
abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this pull request May 5, 2024
@bnoordhuis @sam-github
tools: update certdata.txt
74f31be 
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: nodejs/node#13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this pull request May 5, 2024
@bnoordhuis @sam-github
crypto: update root certificates
2e0da90 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: nodejs/node#13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell approved these changes

@cjihrig cjihrig cjihrig approved these changes

+1 more reviewer

@sam-github sam-github sam-github approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency. tls Issues and PRs related to the tls subsystem. tools Issues and PRs related to the tools directory.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@bnoordhuis @jasnell @gibfahn @sam-github @cjihrig @MylesBorins @nodejs-github-bot