crypto: update root certificates #3951
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bnoordhuis
added
tls
|
LGTM, verified certs. aac67e61d13e61f4e855350e896f9487e858ed464bb6340623ccb261da767c232c55c735f9217609bb7e23589016497feb7958e63a31309e4d9828a474510bd7 tools/certdata.txt |
This is the latest certdata.txt from [0], last updated on 2015-11-13. [0] https://hg.mozilla.org/mozilla-central/raw-file/64df3815df9c/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: nodejs#3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
bnoordhuis
force-pushed
the
update-root-certs
branch
from
cd15467
to
c83d9b7
Compare
|
Thanks for the review, Fedor. Tentatively tagged this |
|
On what basis we update the root certificates? |
|
There is no fixed schedule, I simply I check the upstream certdata.txt for significant changes from time to time. There hasn't been anything earth-shattering but the last update in node was in May so I figured now is a good a time as any. Maybe it's good to move to a more formal process but I'm not volunteering to write up a proposal. :-) |
|
Maybe @nodejs/crypto can take it up? |
|
@bnoordhuis what is "upstream" here? I am just trying to understand where exactly we get the certs from. |
|
@bnoordhuis Thanks :-) I really don't know which one to favor over the other. But as long as we get it from the well-known entity, we are good I guess. |
|
F.Y.I NSS has already updated certdata.txt in Oct. as https://bugzilla.mozilla.org/show_bug.cgi?id=1214729 but not deployed to Firefox yet. If it is included in Firefox45, it will be stable in March 2016. |
|
@bnoordhuis what will be needed for this to land in lts? would it potentially land in v0.12 as well? |
|
@thealphanerd It will land in both v0.12 and v0.10. See #3952 . |
|
@shigeki Good to know. I'll make the assumption that this is going to be handled by someone with more security chops until I hear otherwise |
bnoordhuis
added a commit
that referenced
this pull request
Dec 5, 2015
This is the latest certdata.txt from [0], last updated on 2015-11-13. [0] https://hg.mozilla.org/mozilla-central/raw-file/64df3815df9c/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
bnoordhuis
added a commit
that referenced
this pull request
Dec 5, 2015
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: #3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
This was referenced Dec 8, 2015
rvagg
added a commit
that referenced
this pull request
Dec 9, 2015
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021.
PR-URL: #4181
rvagg
added a commit
that referenced
this pull request
Dec 9, 2015
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021.
PR-URL: #4181
Closed
|
@nodejs/lts is this ready to land? |
|
This is probably already stale again. I had on my list updating the certificate list in master again. |
|
@bnoordhuis I have removed the lts watch on this and await a new certificate list. please let me know if this should be reconsidered |
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) nodejs#3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) nodejs#3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) nodejs#3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) nodejs#3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) nodejs#4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) nodejs#4021.
PR-URL: nodejs#4181
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/802/