-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: update root certificates #3951
Conversation
LGTM, verified certs. aac67e61d13e61f4e855350e896f9487e858ed464bb6340623ccb261da767c232c55c735f9217609bb7e23589016497feb7958e63a31309e4d9828a474510bd7 tools/certdata.txt |
This is the latest certdata.txt from [0], last updated on 2015-11-13. [0] https://hg.mozilla.org/mozilla-central/raw-file/64df3815df9c/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: nodejs#3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
cd15467
to
c83d9b7
Compare
Thanks for the review, Fedor. Tentatively tagged this |
On what basis we update the root certificates? |
There is no fixed schedule, I simply I check the upstream certdata.txt for significant changes from time to time. There hasn't been anything earth-shattering but the last update in node was in May so I figured now is a good a time as any. Maybe it's good to move to a more formal process but I'm not volunteering to write up a proposal. :-) |
Maybe @nodejs/crypto can take it up? |
@bnoordhuis what is "upstream" here? I am just trying to understand where exactly we get the certs from. |
@bnoordhuis Thanks :-) I really don't know which one to favor over the other. But as long as we get it from the well-known entity, we are good I guess. |
F.Y.I NSS has already updated certdata.txt in Oct. as https://bugzilla.mozilla.org/show_bug.cgi?id=1214729 but not deployed to Firefox yet. If it is included in Firefox45, it will be stable in March 2016. |
@bnoordhuis what will be needed for this to land in lts? would it potentially land in v0.12 as well? |
@thealphanerd It will land in both v0.12 and v0.10. See #3952 . |
@shigeki Good to know. I'll make the assumption that this is going to be handled by someone with more security chops until I hear otherwise |
This is the latest certdata.txt from [0], last updated on 2015-11-13. [0] https://hg.mozilla.org/mozilla-central/raw-file/64df3815df9c/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: #3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: #3951 Reviewed-By: Fedor Indutny <fedor@indutny.com>
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
@nodejs/lts is this ready to land? |
This is probably already stale again. I had on my list updating the certificate list in master again. |
@bnoordhuis I have removed the lts watch on this and await a new certificate list. please let me know if this should be reconsidered |
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) nodejs#3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) nodejs#3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) nodejs#3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) nodejs#3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) nodejs#4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) nodejs#4021. PR-URL: nodejs#4181
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/802/