Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update root certs to use NSS 3.53 #33682

Closed
wants to merge 2 commits into from
Closed

Update root certs to use NSS 3.53 #33682

wants to merge 2 commits into from

Conversation

AshCripps
Copy link
Member

Updated the root certs to use NSS 3.53

should fix #33681

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines

AshCripps added 2 commits June 1, 2020 13:31
tools: update certdata.txt
b55556d 
This is the certdata.txt[0] from NSS 3.53, released on 2020-05-29.

This is the version of NSS that will ship in Firefox 78 on
2020-06-30.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_53_RTM/lib/ckfw/builtins/certdata.txt
crypto: update root certificates
fe2fcd3 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
Entrust Root Certification Authority - G4

Certificates removed:
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Jun 1, 2020
@AshCripps AshCripps mentioned this pull request Jun 1, 2020
Closed
@sam-github
Copy link
Contributor

cc: @nodejs/security

@sam-github sam-github added security Issues and PRs related to security. tls Issues and PRs related to the tls subsystem. labels Jun 1, 2020
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/31689/

@sam-github
Copy link
Contributor

fast-track, to get this in the security release tomorrow?

@sam-github sam-github added the fast-track PRs that do not need to wait for 48 hours to land. label Jun 1, 2020
@addaleax addaleax added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. crypto Issues and PRs related to the crypto subsystem. and removed lib / src Issues and PRs related to general changes in the lib or src directory. labels Jun 1, 2020
@sam-github
Copy link
Contributor

I'll watch the build status and merge when its green. cc: @targos @BethGriggs

@sam-github
Copy link
Contributor

sam-github commented Jun 1, 2020
edited by targos
Loading

Landed in 41796eb...f1ae7ea

@sam-github sam-github closed this Jun 1, 2020
sam-github pushed a commit that referenced this pull request Jun 1, 2020
@sam-github
tools: update certdata.txt
c522df5 
This is the certdata.txt[0] from NSS 3.53, released on 2020-05-29.

This is the version of NSS that will ship in Firefox 78 on
2020-06-30.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_53_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #33682
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
sam-github pushed a commit that referenced this pull request Jun 1, 2020
@sam-github
crypto: update root certificates
f1ae7ea 
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
Entrust Root Certification Authority - G4

Certificates removed:

PR-URL: #33682
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
@sam-github
Copy link
Contributor

I'm not sure if this should land on v10.x, @nodejs/lts

10.x currently has NSS 3.41.

It is missing the master updates to 3.42, 3.45, 3.47, so this PR's update to 3.53 won't land cleanly.

What is the LTS release policy wrt. certificate data updates?

@richardlau
Copy link
Member

I don't think we have a specific policy for updating the certificates but in my opinion it falls under the security updates category.

@AshCripps AshCripps deleted the update-root-certs branch June 2, 2020 10:47
@nornagon nornagon mentioned this pull request Jun 22, 2020
Closed
3 tasks
nornagon added a commit to electron/electron that referenced this pull request Jun 23, 2020
@nornagon
fix: backport nodejs/node#33682
dda3a15
@nornagon nornagon mentioned this pull request Jun 23, 2020
Merged
3 tasks
nornagon added a commit to electron/electron that referenced this pull request Jun 23, 2020
@nornagon
fix: backport nodejs/node#33682
adf67cb
@nornagon nornagon mentioned this pull request Jun 23, 2020
Merged
3 tasks
nornagon added a commit to electron/electron that referenced this pull request Jun 23, 2020
@nornagon
fix: backport nodejs/node#33682 and nodejs/node#30195
6ac2675
nornagon added a commit to electron/electron that referenced this pull request Jun 23, 2020
@nornagon
fix: backport nodejs/node#33682 and nodejs/node#30195
0001ed7
deepak1556 pushed a commit to electron/electron that referenced this pull request Jun 24, 2020
@nornagon
fix: backport nodejs/node#33682 (#24266)
fb292c2
deepak1556 pushed a commit to electron/electron that referenced this pull request Jun 24, 2020
@nornagon
fix: backport nodejs/node#33682 (#24267)
7835902
deepak1556 pushed a commit to electron/electron that referenced this pull request Jun 24, 2020
@nornagon
fix: backport nodejs/node#33682 and nodejs/node#30195 (#24268)
9964e3f
deepak1556 pushed a commit to electron/electron that referenced this pull request Jun 24, 2020
@nornagon
fix: backport nodejs/node#33682 and nodejs/node#30195 (#24269)
092706c
@LucaBlackDragon LucaBlackDragon mentioned this pull request Dec 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanarbol juanarbol juanarbol approved these changes

@BethGriggs BethGriggs BethGriggs approved these changes

@jasnell jasnell jasnell approved these changes

@sam-github sam-github sam-github approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. fast-track PRs that do not need to wait for 48 hours to land. security Issues and PRs related to security. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AddTrust SSL CA root cert expired (as bundled with NodeJS) - updated one published
8 participants
@AshCripps @sam-github @nodejs-github-bot @richardlau @jasnell @BethGriggs @juanarbol @addaleax