crypto: update root certificates #19322
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China
The previous commit removed the CNNIC root certificates and makes the test/parallel/test-tls-cnnic-whitelist.js test fail with an UNABLE_TO_VERIFY_LEAF_SIGNATURE error instead of the "expected" CERT_REVOKED error. "Expected" between scare quotes because of course the new error is not unexpected.
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015.
nodejs-github-bot
added
c++
cjihrig
approved these changes
Mar 13, 2018
|
Just a tip for past and future @nodejs/collaborators, when reviewing CA update PR - please run the aforementioned tools and verify that the data matches. |
|
@indutny Do you mind writing something down in |
|
I probably won't be able to get to this soon, sorry. |
danbev
approved these changes
Mar 16, 2018
jasnell
approved these changes
Mar 16, 2018
|
Does this address #14537 or are we still waiting for upstream? |
|
No, it doesn't address #14537. I believe NSS/Firefox plans to drop the Symantec certificates later this year. |
|
CI looks good... only issue is linter which is infra related |
MylesBorins
pushed a commit
that referenced
this pull request
Mar 26, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 26, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 26, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
landed in eac4c65...dc87543 @bnoordhuis this doesn't seem to land cleanly on any release lines... specifically dc87543 is conflicting on all release lines edit: 79fa372 is also conflicting on v4.x |
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Mar 27, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. PR-URL: nodejs#19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This was referenced Mar 27, 2018
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt Backport-PR-URL: #19631 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China Backport-PR-URL: #19631 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. Backport-PR-URL: #19631 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt Backport-PR-URL: #19634 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China Backport-PR-URL: #19634 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. Backport-PR-URL: #19634 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt Backport-PR-URL: #19632 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China Backport-PR-URL: #19632 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. Backport-PR-URL: #19632 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05. This is the version of NSS that will ship in Firefox 60 on 2018-05-01. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt Backport-PR-URL: #19633 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GDCA TrustAUTH R5 ROOT - SSL.com EV Root Certification Authority ECC - SSL.com EV Root Certification Authority RSA R2 - SSL.com Root Certification Authority ECC - SSL.com Root Certification Authority RSA - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 Certificates removed: - ACEDICOM Root - AddTrust Low-Value Services Root - AddTrust Public Services Root - AddTrust ualified Certificates Root - CA Disig Root R1 - Camerfirma Chambers of Commerce Root - Camerfirma Global Chambersign Root - CA WoSign ECC Root - Certification Authority of WoSign G2 - Certinomis - Autorité Racine - Certum Root CA - China Internet Network Information Center EV Certificates Root - CNNIC ROOT - Comodo Secure Services root - Comodo Trusted Services root - DST ACES CA X6 - GeoTrust Global CA 2 - PSCProcert - Security Communication EV RootCA1 - StartCom Certification Authority - StartCom Certification Authority - StartCom Certification Authority G2 - Swisscom Root CA 1 - Swisscom Root CA 2 - Swisscom Root EV CA 2 - TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3 - TURKTRUST Certificate Services Provider Root 2007 - UTN USERFirst Hardware Root CA - WoSign - WoSign China Backport-PR-URL: #19633 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
Remove the CNNIC certificates again and remove the whitelist from commit 3beb880 ("crypto: add cert check to CNNIC Whitelist") from June 2015. Backport-PR-URL: #19633 PR-URL: #19322 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
This seems to be a tough nut to crack. Should this be backported to v8.x at all? |
Wasn't it already backported in #19633? |
|
Cool. That's reassuring (I thought this was a tough nut because most of the commits came back empty 😛 ). Someone must've forgotten to remove the labels. I will now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.
Certificates added:
Certificates removed:
Needs a decision on how to backport. I've pulled apart the CNNIC and StartCom removals; do we want to backport those (and if so, to what release branches) or apply only in Node.js 10?
cc @nodejs/crypto - this needs your input.
edit: discussion in #9434 is relevant.