Update Mozilla CA certificate store to latest (03-07-2018) for libgit 2 SSL. #26983
Conversation
deps/libgit2.mk
Outdated
| @@ -77,10 +77,10 @@ $(LIBGIT2_SRC_PATH)/libgit2-bundled_zlib.patch-applied: $(LIBGIT2_SRC_PATH)/sour | |||
| echo 1 > $@ | |||
|
|
|||
| $(build_datarootdir)/julia/cert.pem: | |||
| $(JLDOWNLOAD) $(shell pwd)/cacert-2018-01-17.pem https://curl.haxx.se/ca/cacert-2018-01-17.pem | |||
There was a problem hiding this comment.
Might be good to extract this version into it's own variable that can be set in Make.user
… certificate store from the curl project.
|
@vchuravy As you have suggested, I created the variable |
|
Would be great to get a quick review of this (@vchuravy?, @staticfloat?). Should this be backported for 0.6.3 as well? |
There was a problem hiding this comment.
@mikhail-j thank you for doing this work!
I have a few more changes in mind which I commented in line about. Let me know if you need help with the Make part.
Make.inc
Outdated
| # Specify the version of the Mozilla CA Certificate Store to obtain. | ||
| # The versions of cacert.pem are identified by the date of their changes. | ||
| # See https://curl.haxx.se/docs/caextract.html for more details. | ||
| MOZILLA_CACERT_VERSION:=cacert-2018-03-07.pem |
There was a problem hiding this comment.
I would prefer this just being MOZILLA_CACERT_VERSION:=2018-03-07.
deps/libgit2.mk
Outdated
| @@ -77,10 +77,10 @@ $(LIBGIT2_SRC_PATH)/libgit2-bundled_zlib.patch-applied: $(LIBGIT2_SRC_PATH)/sour | |||
| echo 1 > $@ | |||
|
|
|||
| $(build_datarootdir)/julia/cert.pem: | |||
There was a problem hiding this comment.
An issue that I just noticed with this while checking out these changes locally is that when the MOZILLA_CACERT_VERSION is changed the local file will not be updated.
One can achieve this by splitting this Make step into two steps one for downloading and checking the file and the other for installing it.
There was a problem hiding this comment.
Couldn't we remove the locally installed cert.pem during make clean (by adding rm $(build_datarootdir)/julia/cert.pem)?
There was a problem hiding this comment.
@vchuravy I noticed that the directory $(build_datarootdir)/julia still exists after make clean.
|
@vchuravy @staticfloat I've committed the changes @vchuravy requested for the makefile target. |
|
@StefanKarpinski @vchuravy @staticfloat During this time, the official curl project has updated their Mozilla CA certificate store (here) on June 20th, 2018. I've committed the new SSL certificates to this pull request so it can be merged with the main branch. |
|
This seems to leave |
… 2 SSL. (JuliaLang#26983) Update Mozilla CA certificate store to latest (06-20-2018) for libgit2 SSL. * Use MOZILLA_CACERT_VERSION to obtain specific version of Mozilla's CA certificate store from the curl project.
The Mozilla CA certificate store provided by the curl project has been updated last month (03/07/2018).
In January 2018, Mozilla Security Blog announced that SSL Certificate Validity Periods are to be changed to 825 days or less by 03/01/2018 for newly issued SSL certificates. This coincides with this update to the cacert.pem provided by the curl project.
In March 2018, Mozilla Security Blog announces their plan for the gradual removal of Symantec TLS/SSL certificates in their Firefox Browser.
Firefox 60 is planned to be released in 05/09/2018 (Mozilla Firefox Release Calendar).
I have checked the
certdata.txtused in both 59.0.3 (current release) and 60.0 (tagged as FIREFOX_RELEASE_60_BASE) and they both share the SHA256 checksum:704f02707ec6b4c4a7597a8c6039b020def11e64f3ef0605a9c3543d48038a57.@staticfloat @tkelman As mentioned in #24212, the checksums for
cacert-2018-03-07.pemhave been added for use withjlchecksum.