From d8c4a932c9a50b7c456baabfbba046b9e4f09dd1 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Fri, 13 Mar 2015 09:55:29 +0900 Subject: [PATCH] crypto: add deprecated ValiCert CA for cross cert The host of melissadata.net has a cross root certification between Starfield Class 2 and ValiCert Class 2. OpenSSL-1.0.1 only looks up a cert chain to the deprecated ValiCert Class 2 CA and causes untrusted error. We add it for a short-term remedy and it is to be removed after upgrading OpenSSSL-1.0.2 and applying private patches to support alternative cert chains. See #402 and #589. Fixes: https://github.com/iojs/io.js/issues/923 PR-URL: https://github.com/iojs/io.js/pull/1135 Reviewed-By: Ben Noordhuis --- src/node_root_certs.h | 19 +++++++++++++++++++ .../internet/test-tls-connnect-melissadata.js | 7 +++++++ 2 files changed, 26 insertions(+) create mode 100644 test/internet/test-tls-connnect-melissadata.js diff --git a/src/node_root_certs.h b/src/node_root_certs.h index 6af5e9c97dfb8d..a75431c9be4e63 100644 --- a/src/node_root_certs.h +++ b/src/node_root_certs.h @@ -3911,3 +3911,22 @@ "ie2uPAmvylezkolwQOQvT8Jwg0DXJCxr5wkf09XHwQj02w47HAcLQxGEIYbpgNR12KvxAmLB\n" "sX5VYc8T1yaw15zLKYs4SgsOkI26oQ==\n" "-----END CERTIFICATE-----\n", + +/* This root cert is 1024bit RSA to be removed in future. See GH-923. */ +/* ValiCert Class 2 VA */ +"-----BEGIN CERTIFICATE-----\n" +"MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlk\n" +"YXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlD\n" +"ZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw\n" +"Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29t\n" +"MB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYyNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0\n" +"IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsT\n" +"LFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQD\n" +"ExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl\n" +"cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vYdA757tn2\n" +"VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9WlmpZdRJEy0kTRxQ\n" +"b7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QSv4dk+NoS/zcnwbNDu+97bi5p\n" +"9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9vUJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6\n" +"EILLGACOTb2oWH+heQC1u+mNr0HZDzTuIYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2az\n" +"SiGM5bUMMj4QssxsodyamEwCW/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd\n" +"-----END CERTIFICATE-----\n", diff --git a/test/internet/test-tls-connnect-melissadata.js b/test/internet/test-tls-connnect-melissadata.js new file mode 100644 index 00000000000000..61239c89c80c3f --- /dev/null +++ b/test/internet/test-tls-connnect-melissadata.js @@ -0,0 +1,7 @@ +// Test for authorized access to the server which has a cross root +// certification between Starfield Class 2 and ValiCert Class 2 +var tls = require('tls'); +var socket = tls.connect(443, 'address.melissadata.net', function() { + socket.resume(); + socket.destroy(); +});