-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update root certs with NSS 3.41, and document the process #25113
Conversation
ab91dbe
to
0fc672b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Good writeup, Sam. There's a typo in the URL in the first commit, it's missing the first 't' in certdata.txt.
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3
4e73e85
to
b5ca978
Compare
b5ca978
to
cc6aa02
Compare
Landed in 4ac1702...845fdd0 |
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Sorry, forgot to answer this. The answer is 'mostly' - there have been some certificate changes that we didn't backport in the past for fear of disruption (deprecation/removal of 1024 bits RSA certs was one.) |
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Notable Changes: * cli: - add --max-http-header-size flag (cjihrig) #24811 * crypto: - always accept certificates as public keys (Tobias Nießen) #24234 - add key object API (Tobias Nießen) [#24234](#24234) - update root certificates (Sam Roberts) #25113 * deps: - upgrade to libuv 1.24.1 (cjihrig) #25078 - upgrade npm to 6.5.0 (Audrey Eschright) #24734 * http: - add maxHeaderSize property (cjihrig) #24860 PR-URL: #25175
Notable Changes: * cli: - add --max-http-header-size flag (cjihrig) #24811 * crypto: - always accept certificates as public keys (Tobias Nießen) #24234 - add key object API (Tobias Nießen) [#24234](#24234) - update root certificates (Sam Roberts) #25113 * deps: - upgrade to libuv 1.24.1 (cjihrig) #25078 - upgrade npm to 6.5.0 (Audrey Eschright) #24734 * http: - add maxHeaderSize property (cjihrig) #24860 PR-URL: #25175
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: nodejs#25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: nodejs#25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Notable Changes: * cli: - add --max-http-header-size flag (cjihrig) nodejs#24811 * crypto: - always accept certificates as public keys (Tobias Nießen) nodejs#24234 - add key object API (Tobias Nießen) [nodejs#24234](nodejs#24234) - update root certificates (Sam Roberts) nodejs#25113 * deps: - upgrade to libuv 1.24.1 (cjihrig) nodejs#25078 - upgrade npm to 6.5.0 (Audrey Eschright) nodejs#24734 * http: - add maxHeaderSize property (cjihrig) nodejs#24860 PR-URL: nodejs#25175
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: nodejs#25113 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03. This is the version of NSS that will ship in Firefox 65 on 2018-12-11. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #25113 Backport-PR-URL: #29137 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - GlobalSign Root CA - R6 - OISTE WISeKey Global Root GC CA - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - UCA Global G2 Root - UCA Extended Validation Root - Certigna Root CA Certificates removed: - Visa eCommerce Root - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 PR-URL: #25113 Backport-PR-URL: #29137 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
One question about the process: do root certs always get backported? I think so, so should the final step in the process involve any labelling of the PR to indicate request-to-backport/cherry-pick into LTS branches?
/to @bnoordhuis @shigeki
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes