New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL #31213
fix: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL #31213
Conversation
Fixes: #31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
We are planning to work on a test case, but probably as another PR just to get this one merged given its urgency |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm somewhat concerned that the bug only impacts the nodejs http module but this patch impacts every consumer of boringssl. Is there any way to patch this in to node specifically?
cc @davidben - do you think this is the right fix? |
Yeah, I get your point. On the other hand, every consumer of BoringSSL that doesn't overwrite the default flags would face the same problem, right? To your point, Chromium does seem to work by default, so I guess they already overwrite it in all places? |
Compiled a test build with this patch. I can confirm I was able to successfully make a request to |
If you merge this please consider backporting the fix to previous Electron versions. In our case, we are somewhat stuck at version 10 due to the Electron sandbox changes. We'll upgrade some day but it's not trivial, and I'm sure many people likewise don't have the resources to upgrade to a major version, yet would certainly consider upgrading to a patch version. |
@laurent22 We're planning on backporting the fix into all of our current stable release lines (Electron 12-15) and beta line (Electron 16) 👍 If people reading have concerns, let's discuss in the original issue so we don't distract from any fix discussions here 🙂 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Release Notes Persisted
|
I have automatically backported this PR to "12-x-y", please check out #31214 |
Are you planning to make the change in the upstream BoringSSL library: |
It is being tracked here https://bugs.chromium.org/p/boringssl/issues/detail?id=439 |
Chromium has it's own verifier code and doesn't use BoringSSL at all for this purpose - which is also why it's not affected.. |
Do u plan to backport fix for electron v8 & v11 also? |
Could you please backport this to v11 as well? Our product is still using the v11 since some bugs(for example #30666 and #31016) are unfixed and we can't upgrade to the latest stable for the moment. Sorry to ping you, I'm not sure to ping which one since this bug should affect all stable releases and the electron team should take action now. |
We're also requesting a backport to V9 if at all possible. |
Fixes: electron#31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
Fixes: electron#31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
Fixes: electron#31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This flag is set by default on OpenSSL.
Fixes: #31212
Signed-off-by: Juan Cruz Viotti jv@jviotti.com
npm test
passesRelease Notes
Notes: Fix Let's Encrypt DST Root CA X3 certificate expiration.