-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: whitelist CNNIC certificates? #1871
Comments
Allow me to copy/paste my reply. :-) I personally wouldn't mind the whitelisting approach. I don't think the overhead is going to be terrible when it's implemented as a simple binary search over a static array. The only issue I see is tracking whitelist updates. Either we do it manually from time to time like we do for the root certificates or it has to be scripted into the release process somehow. |
Mozilla has an independent file of whitelist in https://hg.mozilla.org/mozilla-central/raw-file/98820360ab66/security/certverifier/CNNICHashWhitelist.inc . We have to watch it periodically if we take this. I made a patch in shigeki@1459820 for adding CNNIC whitelist check and tried tests for evaluating its performance degradation. Most of tls connection is to access to TLS servers that is not issued by CNNIC. I made tls connection benchmarks to a local server by using my cert issued by GlobalSign. There seems about 2% performance drop in tls connection on my tests. But in general case, RTT gets more than that in the test so that the ratio would be more small.
|
Can you file it as a PR? I have a couple of comments but it's easier to do that on a PR. |
Okay, I will do it right now. |
submitted #1895 |
See comment here:
/cc @nodejs/crypto
The text was updated successfully, but these errors were encountered: