crypto: update root certificates#12402
Closed
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana
nodejs-github-bot added c++ 
shigeki approved these changes Apr 14, 2017
Contributor
shigeki left a comment
shigeki left a comment There was a problem hiding this comment.
LGTM. This is the same as the one included in Firefox53 to be released next week.
NSS 3.31 is included in Firefox55 to be stable on 2017-08-08. https://bugzilla.mozilla.org/show_bug.cgi?id=1345368
ghost approved these changes Apr 14, 2017
Contributor
sam-github commented Apr 17, 2017
@nodejs/lts @bnoordhuis will you backport to LTS as well? Do we consistently backport the root updates? They are potentially semver-major... but they are also security updates, and if a CA is invalidated, maybe your code should break. |
MemberAuthor
bnoordhuis commented Apr 18, 2017
@sam-github We back-port after due deliberation. E.g., we added back some transitional 1024 RSA certificates last time for compatibility reasons. |
Member
jasnell commented Apr 18, 2017
@sam-github to follow up on @bnoordhuis comments... ideally this would sit in a current release for a couple of weeks before we look at backporting to LTS. |
jasnell pushed a commit that referenced this pull request Apr 18, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
jasnell pushed a commit that referenced this pull request Apr 18, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Member
jasnell commented Apr 18, 2017
Landed in abe0375 and 6331b63 |
evanlucas pushed a commit that referenced this pull request Apr 25, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request Apr 25, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Merged
evanlucas pushed a commit that referenced this pull request May 1, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request May 1, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request May 2, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
evanlucas pushed a commit that referenced this pull request May 2, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
gibfahn added the baking-for-lts 
Member
gibfahn commented May 16, 2017
Opting to leave this until the next v6.x (to bake some more), LMK if there's a need to land it sooner. |
jbunton-atlassian pushed a commit to jbunton-atlassian/node that referenced this pull request May 29, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: nodejs#12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This was referenced May 29, 2017
MemberAuthor
bnoordhuis commented May 30, 2017
Backporters, this should land together with #13279. |
MylesBorins pushed a commit that referenced this pull request Jul 14, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jul 14, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins removed baking-for-lts 
Contributor
MylesBorins commented Jul 15, 2017
This does not land cleanly on v4.x Could someone who is familiar with the certs please submit a backport |
Merged
4 tasks
Contributor
sam-github commented Jul 25, 2017
backported: #14482 |
MylesBorins added a commit that referenced this pull request Aug 1, 2017
This LTS release comes with 221 commits. This includes 80 which are test related, 52 which are doc related, 32 which are build / tool related and 10 commits which are updates to dependencies. Notable Changes: * configure: - add mips64el to valid_arch (Aditya Anand) - #13620 * crypto: - Updated root certificates based on [NSS 3.30] (Ben Noordhuis) - #13279 - #12402 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes * deps: - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu) - #12913 * http: - parse errors are now reported when NODE_DEBUG=http (Sam Roberts) - #13206 - Agent construction can now be envoked without `new` (cjihrig) - #12927 * zlib: - node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (Alexey Orlenko) - #13098 PR-URL: #14356
MylesBorins added a commit that referenced this pull request Aug 1, 2017
This LTS release comes with 221 commits. This includes 80 which are test related, 52 which are doc related, 32 which are build / tool related and 10 commits which are updates to dependencies. Notable Changes: * configure: - add mips64el to valid_arch (Aditya Anand) - #13620 * crypto: - Updated root certificates based on [NSS 3.30] (Ben Noordhuis) - #13279 - #12402 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30_release_notes * deps: - upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu) - #12913 * http: - parse errors are now reported when NODE_DEBUG=http (Sam Roberts) - #13206 - Agent construction can now be envoked without `new` (cjihrig) - #12927 * zlib: - node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (Alexey Orlenko) - #13098 PR-URL: #14356
MylesBorins pushed a commit that referenced this pull request Aug 16, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins pushed a commit that referenced this pull request Aug 16, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Closed
MylesBorins pushed a commit that referenced this pull request Oct 25, 2017
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
MylesBorins pushed a commit that referenced this pull request Oct 25, 2017
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Merged
MylesBorins added a commit that referenced this pull request Nov 6, 2017
Notable Changes: * **crypto**: - update root certificates (Ben Noordhuis) #13279 - update root certificates (Ben Noordhuis) #12402 * **deps**: - add support for more modern versions of INTL (Bruno Pagani) #13040 - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691 - upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233 PR-URL: #16500
MylesBorins added a commit that referenced this pull request Nov 7, 2017
Notable Changes: * **crypto**: - update root certificates (Ben Noordhuis) #13279 - update root certificates (Ben Noordhuis) #12402 * **deps**: - add support for more modern versions of INTL (Bruno Pagani) #13040 - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691 - upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233 PR-URL: #16500
abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this pull request May 5, 2024
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs/node#12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this pull request May 5, 2024
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: nodejs/node#12402 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I picked the certdata.txt from upstream NSS instead of downstream Firefox this time around in order to include the January CA updates.
If we end up delaying the node 8 release for a few weeks, we should consider upgrading to NSS 3.31 to include the March updates as well.
cc @nodejs/crypto, refs #12393.
CI: https://ci.nodejs.org/job/node-test-pull-request/7380/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/715/