New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DST Root CA X3 in root certs is expired #40352
Comments
We updated the root certs to the most recent available NSS (3.71, https://wiki.mozilla.org/NSS:Release_Versions) in #40280. I'll defer to @nodejs/crypto as to whether we wait for the expired cert to be removed upstream or float a patch to remove it. |
Hi! All certificates are subject to the same rules, like expiry checking, even if they are in the trust store. Policy-wise, there is nothing wrong with an expired cert being in the trust store, it just won't be used (assuming your date is right). NSS will remove it eventually and we'll get it here. However. OpenSSL 1.0.2 has an important bug where it only considers the first verification path to the trust store, and then it checks expiry. DST Root CA X3 hits this bug. Workarounds for the bug include:
But we don't have any active releases with OpenSSL 1.0.2, I think? tl;dr @virtuakazib make sure you're running an up to date version of Node |
Correct, all currently supported versions of Node.js (12, 14, 16, 17) are compiled with OpenSSL 1.1.1. YMMV with Node.js packaged by Linux distributions (which tend to use the OpenSSL from the distribution rather than statically compiling into |
Thanks for all the feedback. Sorry to take up your time. |
No worries :) |
@richardlau wow, I had no idea BoringSSL also used the wrong behavior... that must have caused a bit of an apocalypse |
Version
All currently maintained/supported versions
Platform
All platforms
Subsystem
No response
What steps will reproduce the bug?
Using NodeJS TLS client to connect to a server that uses the Let's Encrypt DST Root CA X3 cert as it's root certificate and the client depends on the root certificates bundled with NodeJS.
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior?
No response
What do you see instead?
No response
Additional information
I understand that NodeJS developers can provide their own root certificates or provide alternate certificate chains for client requests, but it seems like good policy to not included expired certificates in the hard coded certificates bundled with NodeJS releases.
The exact location of the expired cert is here: https://github.com/nodejs/node/blob/master/src/node_root_certs.h#L367
The text was updated successfully, but these errors were encountered: