Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove expired DST Root CA X3 #31219

Merged
merged 2 commits into from Oct 1, 2021
Merged

fix: remove expired DST Root CA X3 #31219

merged 2 commits into from Oct 1, 2021

Conversation

deepak1556
Copy link
Member

@deepak1556 deepak1556 commented Sep 30, 2021
edited

Description of Change

Alternative targeted fix for stable branch lines while the boringssl change is explored in main and beta branches.

Refs https://bugs.chromium.org/p/boringssl/issues/detail?id=439#c2

Checklist

Release Notes

Notes: Remove expired DST Root CA X3 from the bundled trust store

@deepak1556 deepak1556 requested a review from a team as a code owner September 30, 2021 22:25
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Sep 30, 2021
@deepak1556 deepak1556 added 15-x-y target/12-x-y backport-check-skip Skip trop's backport validity checking labels Sep 30, 2021
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Sep 30, 2021
@deepak1556 deepak1556 added semver/patch backwards-compatible bug fixes fast-track 🚅 Indicates that this PR is intended to bypass the 24 hour rule. Needs approval from Releases labels Sep 30, 2021
@deepak1556 deepak1556 requested a review from a team September 30, 2021 22:27
@deepak1556 deepak1556 removed the fast-track 🚅 Indicates that this PR is intended to bypass the 24 hour rule. Needs approval from Releases label Sep 30, 2021
@deepak1556 deepak1556 mentioned this pull request Sep 30, 2021
Merged
@deepak1556 deepak1556 mentioned this pull request Sep 30, 2021
Merged
@deepak1556
Copy link
Member Author

Failing test are unrelated, merging

@deepak1556 deepak1556 merged commit 9407a3e into 15-x-y Oct 1, 2021
@deepak1556 deepak1556 deleted the robo/rm_expired_root_cert branch October 1, 2021 14:56
@release-clerk
Copy link

release-clerk bot commented Oct 1, 2021

Release Notes Persisted

Remove expired DST Root CA X3 from the bundled trust store

@wartab
Copy link

wartab commented Oct 8, 2021

Would it be possible to make an Electron 14 release with this patch?

Or is the following patch that got reverted sufficient? #31216

@deepak1556
Copy link
Member Author

The fix available via 14.1.0 is sufficient, this just reverts to a less obtrusive fix on the stable release lines. So this will be available on next update to Electron 14, but there should be no behavior difference between the two.

@quanglam2807
Copy link
Contributor

quanglam2807 commented Oct 8, 2021
edited

Thanks for the clarification, @deepak1556. I'm currently running 13.5.1 and it seems like the bug is also fixed with #31216. But a user reported error: ERR_CERT_DATE_INVALID. I checked https://bugs.chromium.org/p/boringssl/issues/detail?id=439#c2
and TRUSTED_FIRST can break other scenarios was mentioned. Could it be a degradation caused by #31216 and this fix is actually better?

image0

@deepak1556
Copy link
Member Author

@quanglam2807 can you open an issue with minimal repro, it would help to confirm if there was a regression. If repro is not available, can you collect the network trace by launching the app with --log-net-log=<some-absolute-path>/netlog.json and perform the failing request. The log will be available once the app is quit.

@quanglam2807
Copy link
Contributor

@deed02392 I'm sorry but I couldn't reproduce the bug on my Mac and the user is not technical-savvy so it'd be difficult to ask for the network trace. If I upgrade from electron@13.5.1 to electron@15.1.1 and it works, maybe we can then make the conclusion? Or is anything better I can do?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VerteDinde VerteDinde VerteDinde approved these changes

Assignees
No one assigned
Labels
15-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@deepak1556 @wartab @quanglam2807 @VerteDinde