crypto: update root certificates#3951
Merged
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
bnoordhuis added tls 
Member
indutny commented Nov 21, 2015
LGTM, verified certs. aac67e61d13e61f4e855350e896f9487e858ed464bb6340623ccb261da767c232c55c735f9217609bb7e23589016497feb7958e63a31309e4d9828a474510bd7 tools/certdata.txt |
This is the latest certdata.txt from [0], last updated on 2015-11-13. [0] https://hg.mozilla.org/mozilla-central/raw-file/64df3815df9c/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#3951 Reviewed-By: Fedor Indutny <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: nodejs#3951 Reviewed-By: Fedor Indutny <[email protected]>
bnoordhuisforce-pushed the update-root-certs branch from cd15467 to c83d9b7CompareMemberAuthor
bnoordhuis commented Nov 21, 2015
Thanks for the review, Fedor. Tentatively tagged this |
Contributor
thefourtheye commented Nov 22, 2015
On what basis we update the root certificates? |
MemberAuthor
bnoordhuis commented Nov 22, 2015
There is no fixed schedule, I simply I check the upstream certdata.txt for significant changes from time to time. There hasn't been anything earth-shattering but the last update in node was in May so I figured now is a good a time as any. Maybe it's good to move to a more formal process but I'm not volunteering to write up a proposal. :-) |
Contributor
thefourtheye commented Nov 22, 2015
Maybe @nodejs/crypto can take it up? |
Contributor
thefourtheye commented Nov 22, 2015
@bnoordhuis what is "upstream" here? I am just trying to understand where exactly we get the certs from. |
MemberAuthor
bnoordhuis commented Nov 22, 2015
Contributor
thefourtheye commented Nov 22, 2015
@bnoordhuis Thanks :-) I really don't know which one to favor over the other. But as long as we get it from the well-known entity, we are good I guess. |
Contributor
shigeki commented Nov 23, 2015
F.Y.I NSS has already updated certdata.txt in Oct. as https://bugzilla.mozilla.org/show_bug.cgi?id=1214729 but not deployed to Firefox yet. If it is included in Firefox45, it will be stable in March 2016. |
Contributor
MylesBorins commented Dec 1, 2015
@bnoordhuis what will be needed for this to land in lts? would it potentially land in v0.12 as well? |
Contributor
shigeki commented Dec 1, 2015
@thealphanerd It will land in both v0.12 and v0.10. See #3952 . |
Contributor
MylesBorins commented Dec 1, 2015
@shigeki Good to know. I'll make the assumption that this is going to be handled by someone with more security chops until I hear otherwise |
bnoordhuis added a commit that referenced this pull request Dec 5, 2015
This is the latest certdata.txt from [0], last updated on 2015-11-13. [0] https://hg.mozilla.org/mozilla-central/raw-file/64df3815df9c/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #3951 Reviewed-By: Fedor Indutny <[email protected]>
bnoordhuis added a commit that referenced this pull request Dec 5, 2015
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: #3951 Reviewed-By: Fedor Indutny <[email protected]>
This was referenced Dec 8, 2015
rvagg added a commit that referenced this pull request Dec 9, 2015
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
rvagg added a commit that referenced this pull request Dec 9, 2015
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
Closed
Contributor
MylesBorins commented Feb 17, 2016
@nodejs/lts is this ready to land? |
MemberAuthor
bnoordhuis commented Feb 17, 2016
This is probably already stale again. I had on my list updating the certificate list in master again. |
Contributor
MylesBorins commented Feb 22, 2016
@bnoordhuis I have removed the lts watch on this and await a new certificate list. please let me know if this should be reconsidered |
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) nodejs#3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) nodejs#3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) nodejs#3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) nodejs#3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) nodejs#4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) nodejs#4021. PR-URL: nodejs#4181
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/802/