-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: update root certificates #7363
Conversation
LGTM |
I made @bnoordhuis Could you add one more commit to remove the test of Other tests of The current |
If it is better to open a new PR to remove the test, I'm okay with it. |
Rubber-stamp LGTM. |
Do we have regressions to make sure that the certificate updates don't break? Edit: nvm. internet tests. LGTM. |
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Commit eff96d3 ("src: add include guards to internal headers") adds include guards. Update tools/mk-ca-bundle.pl to output them when generating src/node_root_certs.h. PR-URL: nodejs#7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - Certum Trusted Network CA 2 - SZAFIR ROOT CA2 Certificates removed: - CA Disig - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA PR-URL: nodejs#7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: nodejs#7363 Refs: nodejs#7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
28429a6
to
ede98a7
Compare
I've removed the test in ede98a7.
Yes, I've seen that but I thought it prudent to update to root certificates that are currently shipping in stable FF. If you want, we can revisit. We could follow latest stable NSS rather than latest stable FF, for example. |
@bnoordhuis Thanks for adding the commits. I agree your decision to use the one in the stable Firefox. We will mark the next update schedule in this November. |
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Commit eff96d3 ("src: add include guards to internal headers") adds include guards. Update tools/mk-ca-bundle.pl to output them when generating src/node_root_certs.h. PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - Certum Trusted Network CA 2 - SZAFIR ROOT CA2 Certificates removed: - CA Disig - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: nodejs#7363 Refs: nodejs#7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This is the certdata.txt[0] that ships in Firefox 47 and NSS 3.23, last updated on 2016-02-26. [0] https://hg.mozilla.org/mozilla-central/raw-file/1f84dea6508d/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Root CA - Certum Trusted Network CA 2 - OISTE WISeKey Global Root GB CA - SZAFIR ROOT CA2 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H5 - TURKTRUST Elektronik Sertifika Hizmet Sa?layıcısı H6 Certificates removed: - A-Trust-nual-03 - Buypass Class 3 CA 1 - CA Disig - ComSign Secured CA - Equifax Secure CA - NetLock Notary (Class A) Root - Staat der Nederlanden Root CA - TC TrustCenter Class 2 CA II - TC TrustCenter Universal CA I - TURKTRUST Certificate Services Provider Root 1 - TURKTRUST Certificate Services Provider Root 2 - UTN DATACorp SGC Root CA - Verisign Class 4 Public Primary Certification Authority - G3 PR-URL: #7363 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Shigeki Ohtsu points out that the test is unreliable because some of the www1.cnnnic.cn servers are misconfigured. Remove it. PR-URL: #7363 Refs: #7363 (comment) Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Notable Changes: Semver Minor: * buffer: * backport new buffer constructor APIs to v4.x (Сковорода Никита Андреевич) #7562 * backport --zero-fill-buffers cli option (James M Snell) #5745 * build: * add Intel Vtune profiling support (Chunyang Dai) #5527 * repl: * copying tabs shouldn't trigger completion (Eugene Obrezkov) #5958 * src: * add node::FreeEnvironment public API (Cheng Zhao) #3098 * test: * run v8 tests from node tree (Bryon Leung) #4704 * V8: * Add post mortem data to improve object inspection and function's context variables inspection (Fedor Indutny) #3779 Semver Patch: * **buffer**: * ignore negative allocation lengths (Anna Henningsen) #7562 * **crypto**: * update root certificates (Ben Noordhuis) #7363 * **libuv**: * upgrade libuv to 1.9.1 (Saúl Ibarra Corretgé) #6796 * upgrade libuv to 1.9.0 (Saúl Ibarra Corretgé) #5994 * **npm**: * upgrade to 2.15.9 (Kat Marchán) #7692
Notable Changes: Semver Minor: * buffer: * backport new buffer constructor APIs to v4.x (Сковорода Никита Андреевич) #7562 * backport --zero-fill-buffers cli option (James M Snell) #5745 * build: * add Intel Vtune profiling support (Chunyang Dai) #5527 * repl: * copying tabs shouldn't trigger completion (Eugene Obrezkov) #5958 * src: * add node::FreeEnvironment public API (Cheng Zhao) #3098 * test: * run v8 tests from node tree (Bryon Leung) #4704 * V8: * Add post mortem data to improve object inspection and function's context variables inspection (Fedor Indutny) #3779 Semver Patch: * **buffer**: * ignore negative allocation lengths (Anna Henningsen) #7562 * **crypto**: * update root certificates (Ben Noordhuis) #7363 * **libuv**: * upgrade libuv to 1.9.1 (Saúl Ibarra Corretgé) #6796 * upgrade libuv to 1.9.0 (Saúl Ibarra Corretgé) #5994 * **npm**: * upgrade to 2.15.9 (Kat Marchán) #7692
Notable Changes: Semver Minor: * buffer: * backport new buffer constructor APIs to v4.x (Сковорода Никита Андреевич) #7562 * backport --zero-fill-buffers cli option (James M Snell) #5745 * build: * add Intel Vtune profiling support (Chunyang Dai) #5527 * repl: * copying tabs shouldn't trigger completion (Eugene Obrezkov) #5958 * src: * add node::FreeEnvironment public API (Cheng Zhao) #3098 * test: * run v8 tests from node tree (Bryon Leung) #4704 * V8: * Add post mortem data to improve object inspection and function's context variables inspection (Fedor Indutny) #3779 Semver Patch: * **buffer**: * ignore negative allocation lengths (Anna Henningsen) #7562 * **crypto**: * update root certificates (Ben Noordhuis) #7363 * **libuv**: * upgrade libuv to 1.9.1 (Saúl Ibarra Corretgé) #6796 * upgrade libuv to 1.9.0 (Saúl Ibarra Corretgé) #5994 * **npm**: * upgrade to 2.15.9 (Kat Marchán) #7692
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.
Certificates added:
Certificates removed:
Note: added/removed will be different across branches.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/3049/