2015-09-09 1:00 GMT+02:00 Michael Shuler <mich...@pbandjelly.org>: > On 09/08/2015 05:05 PM, Jérémy Lal wrote: > >> Hi, >> >> i'm packaging nodejs 4.0.0, which contains CNNICHashWhitelist.inc, >> related to https://bugzilla.mozilla.org/show_bug.cgi?id=1151512 >> >> This file is non-dfsg in itself (it's not preferred form for >> modification), >> but i don't really understand what it is. >> > > From the best of my reading, it's restricting Firefox from validating any > cert signed by CNNIC except those on the provided whitelist. I don't see > where this was included in NSS. > > FYI the debian nodejs package itself uses the files from ca-certificates, >> not the ones bundled in it. >> Is this CNNIC white list something meaningful in that case ? >> > > ca-certificates is very little beyond the mozilla CA bundle and a method > for users to select the CAs they wish to trust/distrust. There is no > library, just root certs. CNNIC is one of those root certs. If a user does > not want to trust a CA, then can disable it. Unfortunately, there is no > middle ground. > > This whitelist is one of those grey area things that Mozilla has started > doing in code outside of the root CA bundle, instead of just invalidating > the root CA completely. There's nothing that can really be done in the > ca-certificates package, since it's boolean; trust or not. This means there > is not an exact parity between what Firefox may validate (or not) and > software that uses the Debian ca-certificates trusted root CA list. NSS, on > the other hand, may have gotten the same whitelist logic as Firefox - I > don't know. > > Is it meaningful? CNNIC is a trusted CA by default, so certs will > validate. If someone waves their arms because we don't invalidate something > exactly the same way as Firefox, then we need a library of some sort to do > that, like NSS, which means re-writing software like nodejs to link against > it, etc. Not sure if it's worth the effort - and users that don't trust > CNNIC can simply disable that CA completely. > > Let me know if that helps (or not)! :^)
It does, thank you a lot. Apparently nodejs is doing that work of filtering itself ! Depending on the dfsg status of the generated file i'll disable that functionnality, or not. cc-ing to -devel in case someone is interested. Jérémy
