Skip to content

Commit

Permalink
fix: remove expired DST Root CA X3 (#31220)
Browse files Browse the repository at this point in the history 
* Revert "fix: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL (#31215)"

This reverts commit 3bb36a6.

* fix: remove expired DST Root CA X3
  • Loading branch information
@deepak1556
deepak1556 committed Oct 4, 2021
1 parent e649666 commit 9a71ca5
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 21 deletions.
1 change: 0 additions & 1 deletion patches/boringssl/.patches
View file
@@ -1,4 +1,3 @@
expose_ripemd160.patch
expose_aes-cfb.patch
expose_des-ede3.patch
enable_x509_v_flag_trusted_first_flag.patch
20 changes: 0 additions & 20 deletions patches/boringssl/enable_x509_v_flag_trusted_first_flag.patch
View file

This file was deleted.

1 change: 1 addition & 0 deletions patches/node/.patches
View file
Expand Up @@ -36,3 +36,4 @@ fix_handle_new_tostring_behavior_in_v8_serdes_test.patch
fix_the_--harmony-weak-refs_has_been_removed_remove_from_specs.patch
node-api_faster_threadsafe_function.patch
src_add_missing_context_scopes.patch
fix_remove_expired_dst_root_ca_x3.patch
42 changes: 42 additions & 0 deletions patches/node/fix_remove_expired_dst_root_ca_x3.patch
View file
@@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: deepak1556 <hop2deep@gmail.com>
Date: Fri, 1 Oct 2021 08:03:08 +0900
Subject: fix: remove expired DST Root CA X3

The alternative ISRG Root X1 trusted certificate is
already available in this bundle.

https://letsencrypt.org/docs/certificate-compatibility/
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

diff --git a/src/node_root_certs.h b/src/node_root_certs.h
index 47beb730f4b853f1bf248a7fd1b1cd7d726bdf7e..94ac882ec7e4e2eb61d1f0094f79fb6f603d978c 100644
--- a/src/node_root_certs.h
+++ b/src/node_root_certs.h
@@ -525,26 +525,6 @@
"yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K\n"
"-----END CERTIFICATE-----",

-/* DST Root CA X3 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYD\n"
-"VQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENB\n"
-"IFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRh\n"
-"bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJ\n"
-"KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdA\n"
-"wRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwG\n"
-"MoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4X\n"
-"Lh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n"
-"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkq\n"
-"tilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
-"HQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiyb\n"
-"FwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR\n"
-"6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaL\n"
-"bumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir\n"
-"/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06Xyx\n"
-"V3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n"
-"-----END CERTIFICATE-----",
-
/* SwissSign Gold CA - G2 */
"-----BEGIN CERTIFICATE-----\n"
"MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNI\n"

0 comments on commit 9a71ca5

Please sign in to comment.