-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificate not trusted errors with amazon cert chains #402
Comments
I can't reproduce, maybe it's an issue with the request module. With just |
There's a redirect that is causing the issue which request follows but https does not. This snippet will reproduce:
|
Thanks. The chain for that URL is:
The S3 certificate is backed by the offending VeriSign that was phased out over a year ago. @indutny Thoughts? I suppose we should cherry-pick the certificate but it's kind of bad form for AWS to be so negligent in upgrading their certificates. |
Is there a way to contact amazon about it? |
Nolens volens add back a 1024 bits Verisign Class 3 certificate that is still in use by AWS S3. Fixes: nodejs#402
Probably the S3 community forum would be a good place to start by posting details of the issue. Seems like other cert-related issues have been discussed there. Specifically this thread seems like a very similar (identical?) issue/discussion. |
Ben, Do you remember that OpenSSL patch about cert chain? I think we should Adding 1024-bit CAs is not a solution at all! On Wednesday, January 14, 2015, Peter Lyons notifications@github.com
|
openssl-1.0.2(beta in now) has a new flag to solve this. It's easy to backported to openssl-1.0.1 and working fine as written in nodejs/node-v0.x-archive#8894 (comment) |
X509_V_FLAG_TRUSTED_FIRST? Seems reasonable but will the flag be opt-in or opt-out? Opt-out would change the behavior of code that specifies its own CA chain, wouldn't it? Aside, does anyone know why the X509_V_FLAG_TRUSTED_FIRST patch hasn't been back-ported to 1.0.1? It was landed in openssl HEAD almost five years ago. |
@bnoordhuis I'll ask Rich |
I think it was @piscisaureus that landed 0926cb9 earlier today, provisionally resolving this issue. A better fix would still be good and I'm keeping the issue open for now but at least v1.0.2 will work with AWS again. |
Seeing nodejs/node-v0.x-archive@1425ccd , there are still several 1024-bit root certs missed. Why that commit was not merged to io.js? |
@bnoordhuis @indutny if I cut a 1.0.2 today, will this make it so node-pre-gyp can work again? |
urgh, sorry, read the above comment from @bnoordhuis, will go ahead |
@shigeki I was planning to take a reactive approach here (i.e. don't do anything until someone reports a bug) because I don't think the other CAs are in widespread use, but if you think that commit is worth taking, I'll land it. Actually, I'll be happy to give you commit access so you can land it yourself. Just follow the regular review process, please. :-) |
confirmed works in 1.0.2 thanks |
@bnoordhuis I read the related thread of https://groups.google.com/d/msg/mozilla.dev.security.policy/JFGRyr4-F44/d0UGCCoUeh4J in part not a whole as it's a long thread and I found that mozilla took two actions, one is for Entrust, https://bugzilla.mozilla.org/show_bug.cgi?id=1045189 and the other for GTE, https://bugzilla.mozilla.org/show_bug.cgi?id=1047011 . In Entrust case, mozilla added an intermediate cross certs of USERTrust CA in certdata.txt to mitigate deprecation. In iojs, it does not include in Seeing above, I agree your plan to take a reactive approach with just remembering this issue existed. It's my honor to have a commit access, thanks. In this case it would not be needed. I would like to help this project as much as I can spend time on iojs. Thanks. |
The host of melissadata.net has a cross root certification between Starfield Class 2 and ValiCert Class 2. OpenSSL-1.0.1 only looks up a cert chain to the deprecated ValiCert Class 2 CA and causes untrusted error. We add it for a short-term remedy and it is to be removed after upgrading OpenSSSL-1.0.2 and applying private patches to support alternative cert chains. See nodejs#402 and nodejs#589. Fixes: nodejs#923
The host of melissadata.net has a cross root certification between Starfield Class 2 and ValiCert Class 2. OpenSSL-1.0.1 only looks up a cert chain to the deprecated ValiCert Class 2 CA and causes untrusted error. We add it for a short-term remedy and it is to be removed after upgrading OpenSSSL-1.0.2 and applying private patches to support alternative cert chains. See #402 and #589. Fixes: #923 PR-URL: #1135 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Using io.js 1.0.1, Install the request module and run the following code:
Gives the result:
This appears to be the same bug as this nodejs issue:
nodejs/node-v0.x-archive#8894
The text was updated successfully, but these errors were encountered: