Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v11.6.0 proposal #25175

Merged
merged 59 commits into from
Dec 26, 2018
+9,483 −5,727
Merged

v11.6.0 proposal #25175

Changes from 1 commit
Commits
Show all changes
59 commits
Select commit Hold shift + click to select a range
0057af2
deps: cherry-pick http_parser_set_max_header_size
cjihrig Nov 29, 2018
c80ac7f
src: add kUInteger parsing
mcollina Dec 18, 2018
edd8bd0
cli: add --max-http-header-size flag
cjihrig Dec 3, 2018
0cde1a4
lib: remove unused NativeModule/NativeModule wraps
joyeecheung Dec 8, 2018
7f34c76
src: remove internalBinding('config').warningFile
joyeecheung Dec 11, 2018
96bdd47
lib: refactor argument validation using validateString
ZYSzys Dec 11, 2018
7b2eefc
child_process: spawn ignores options in case args is undefined
eduardbme Dec 8, 2018
85a1369
perf_hooks: make GC tracking state per-Environment
addaleax Dec 14, 2018
74e08c0
vm: simplify Script constructor options validation
cjihrig Dec 15, 2018
09a99c6
src: mark some global state as const
addaleax Dec 14, 2018
ed3303b
tools: enable no-useless-constructor lint rule
cjihrig Dec 15, 2018
30b6155
test: merge test with unnecessary child process
sam-github Dec 13, 2018
4513516
build: add a space to clarify skipping crypto msg
danbev Dec 13, 2018
2516e9c
doc,lib,test: capitalize comment sentences
BridgeAR Dec 10, 2018
e340b8f
tls: re-define max supported version as 1.2
sam-github Nov 28, 2018
a4505c6
src: extract common Bind method
maclover7 Aug 14, 2018
9ad6bc2
test: remove magic numbers in test-gc-http-client-onerror
Trott Dec 10, 2018
3f82144
process: move environment variable proxy code into node_env_var.cc
joyeecheung Dec 15, 2018
4561e2c
doc: revise "Breaking Changes" section of Collaborator Guide
Trott Dec 16, 2018
a5bccc2
tools: make apilinks building more robust
joyeecheung Dec 13, 2018
5eb5d1d
test: test internal/util/types in vm
ZYSzys Dec 15, 2018
a9ab28d
assert: inspect getters
BridgeAR Dec 13, 2018
3e1fe19
test: add missing tmpdir.refresh() in recently-added test
Trott Dec 17, 2018
6f3b421
src: schedule destroy hooks in BeforeExit early during bootstrap
joyeecheung Dec 13, 2018
1f45b23
test: add signal check to test-esm-cjs-main
Trott Dec 16, 2018
4f28da8
worker: fix nullptr deref after MessagePort deser failure
addaleax Dec 16, 2018
155d1d5
deps: upgrade to libuv 1.24.1
cjihrig Dec 16, 2018
8279826
test: verify input flags
BridgeAR Dec 6, 2018
d09e333
test: remove obsolete eslint comments
cjihrig Dec 17, 2018
d1a98a8
events: simplify stack compare function
BridgeAR Nov 18, 2018
c6388ed
src: handle empty Maybe in uv binding initialize
addaleax Dec 17, 2018
7df59f8
vm: reuse validateString of internal/validators
ZYSzys Dec 16, 2018
fd0361b
src: mark options parsers as const
addaleax Dec 15, 2018
54e42f0
src: port GetLoadedLibraries for freebsd
gireeshpunathil Dec 18, 2018
2fc43fb
lib: switch to object spread where possible
BridgeAR Dec 18, 2018
ae50f48
http: add maxHeaderSize property
cjihrig Dec 6, 2018
add566e
os: use uv_os_gethostname() in hostname()
cjihrig Dec 18, 2018
b801b03
src: use std::vector for setting up process.execPath
addaleax Dec 15, 2018
9b38bbf
build: correct fi indentation in Makefile
danbev Dec 18, 2018
9b941da
tools: update certdata.txt
sam-github Dec 18, 2018
6f6f339
crypto: update root certificates
sam-github Dec 18, 2018
4ca0951
doc: describe root cert update process
sam-github Dec 18, 2018
6a690ee
doc: revise "Breaking Changes and Deprecations"
Trott Dec 18, 2018
175f7b6
test: remove unnecessary eslint-disable comments
Trott Dec 19, 2018
073a512
tools: report unused disable-directives for ESLint
Trott Dec 19, 2018
b3f45da
lib: make internal API warning more direct
Trott Dec 19, 2018
a28cae0
test: add hasCrypto check to common flags check
danbev Dec 20, 2018
db54531
test: remove Files: comment processing from Python test runner
Trott Dec 22, 2018
c6bfa66
buffer: simplify code
BridgeAR Dec 20, 2018
c9f809e
src: add DCHECK macros
kiyomizumia Nov 14, 2018
b78d487
doc: fix links in test/common/README.md
vsemozhetbyt Dec 21, 2018
3b53df0
crypto: add key object API
tniessen Sep 20, 2018
e6c1e8d
crypto: always accept certificates as public keys
tniessen Dec 19, 2018
c7fa132
tools: alphabetize IGNORED_SUITES in tools/test.py
Trott Dec 22, 2018
6557ea1
test: mark test-trace-events-api-worker-disabled flaky
Trott Dec 23, 2018
8ab0a48
tools: update ESLint to 5.11.0
cjihrig Dec 23, 2018
45d4851
test: fix test-tls-session-timeout
Trott Dec 23, 2018
e855018
deps: upgrade npm to 6.5.0
Nov 29, 2018
968e901
2018-12-26, Version 11.6.0 (Current)
MylesBorins Dec 21, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
doc: describe root cert update process 
PR-URL: #25113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
  • Loading branch information
@sam-github @MylesBorins
sam-github authored and MylesBorins committed Dec 26, 2018
commit 4ca09517c24d574fd97ec45b708aebedee8bf117
122 changes: 122 additions & 0 deletions doc/guides/updating-root-certs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
# Updating the Root Certificates

Node.js contains a compiled-in set of root certificates used as trust anchors
for TLS certificate validation.

The certificates come from Mozilla, specifically NSS's `certdata.txt` file.

The PEM encodings of the certificates are converted to C strings, and committed
in `src/node_root_certs.h`.

## When to update

Root certificates should be updated sometime after Mozilla makes an NSS release,
check the [NSS release schedule][].

## Process

Commands assume that the current working directory is the root of a checkout of
the nodejs/node repository.

1. Find NSS metadata for update.

The latest released NSS version, release date, Firefox version, and Firefox
release date can be found in the [NSS release schedule][].

The tag to fetch `certdata.txt` from is found by looking for the release
version in the [tag list][].

2. Update `certdata.txt` from the NSS release tag.

Update the tag in the commands below, and run:
```shell
cd tools/
./mk-ca-bundle -v 2>_before
curl -O https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
```

The `_before` file will be used later. Verify that running `mk-ca-bundle` made
no changes to `src/node_root_certs.h`. If it did, something went wrong with the
previous update. Seek help!

Update metadata in the message below, and commit `certdata.txt`:

```text
tools: update certdata.txt

This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.

This is the version of NSS that will ship in Firefox 65 on
2018-12-11.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
```

3. Update `node_root_certs.h` from `certdata.txt`.

Run the command below:

```shell
./mk-ca-bundle.pl -v 2>_after
```

Confirm that `../src/node_root_certs.h` was updated.

Determine what changes were made by diffing the before and after files:
```shell
% diff _before _after
11d10
< Parsing: Visa eCommerce Root
106d104
< Parsing: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
113,117d110
< Parsing: Certplus Root CA G1
< Parsing: Certplus Root CA G2
< Parsing: OpenTrust Root CA G1
< Parsing: OpenTrust Root CA G2
< Parsing: OpenTrust Root CA G3
134c127,136
< Done (133 CA certs processed, 20 skipped).
---
> Parsing: GlobalSign Root CA - R6
> Parsing: OISTE WISeKey Global Root GC CA
> Parsing: GTS Root R1
> Parsing: GTS Root R2
> Parsing: GTS Root R3
> Parsing: GTS Root R4
> Parsing: UCA Global G2 Root
> Parsing: UCA Extended Validation Root
> Parsing: Certigna Root CA
> Done (135 CA certs processed, 16 skipped).
```

Use the diff to update the message below, and commit `src/node_root_certs.h`:
```text
crypto: update root certificates

Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GlobalSign Root CA - R6
- OISTE WISeKey Global Root GC CA
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- UCA Global G2 Root
- UCA Extended Validation Root
- Certigna Root CA

Certificates removed:
- Visa eCommerce Root
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
```

[NSS release schedule]: https://wiki.mozilla.org/NSS:Release_Versions
[tag list]: https://hg.mozilla.org/projects/nss/tags