-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: update root certificates #1833
Conversation
Otherwize, I will remove test/internet/test-tls-connnect-melissadata.js that was created in d8c4a93 after updated. As for this updating root certs, what shoudl we do for CNNNIC whitelist? Firefox and Chrome obtain serials of issued certs and checking them during cert verifying. I incline not to do it because
|
@indutny Don't know how I ended up pasting a bad link... the right one is https://hg.mozilla.org/mozilla-central/raw-file/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt - I'll update the commit log before I land this.
I tried to keep the delta with upstream as small as possible, to make future updates easier, that's why I left in some cruft. Basically all I did was remove the auto-downloading code.
I personally wouldn't mind the whitelisting approach. I don't think the overhead is going to be terrible when it's implemented as a simple binary search over a static array. The only issue I see is tracking whitelist updates. Either we do it manually from time to time like we do for the root certificates or it has to be scripted into the release process somehow. |
PR-URL: nodejs#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
Remove unneeded functionality and tweak the generated output so we can #include it in C++ source code. This commit essentially reapplies the changes from commit e159073 ("tools: customize mk-ca-bundle.pl") to the updated script. PR-URL: nodejs#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
This is the latest certdata.txt from [0], last updated on 2015-04-20. [0] https://hg.mozilla.org/mozilla-central/raw-file/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: nodejs#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
acc2040
to
a4dbf45
Compare
PR-URL: nodejs/node#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
Remove unneeded functionality and tweak the generated output so we can #include it in C++ source code. This commit essentially reapplies the changes from commit e159073 ("tools: customize mk-ca-bundle.pl") to the updated script. PR-URL: nodejs/node#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
This is the latest certdata.txt from [0], last updated on 2015-04-20. [0] https://hg.mozilla.org/mozilla-central/raw-file/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt PR-URL: nodejs/node#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. PR-URL: nodejs/node#1833 Reviewed-By: Shigeki Ohtsu <[email protected]>
R=@nodejs/crypto
See also #1261
CI: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/724/