Drop WoSign/StartCom root certs in 8.0

[ChALkeR]

The story: https://wiki.mozilla.org/CA:WoSign_Issues

We should probably take action on that in 8.0, especially noting that it will be an LTS version maintained until 2020-04.

Note that they might or might not be still be present in Mozilla root store at the time of 8.0 release, but they do plan removing them.

• Chrome plans to distrust new (newer than 2016-10-21) certs by StartCom and WoSign in Chrome 56 (ETA 2017-01-31), and plans to also distrust old certs in some subsequent release: https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
• Mozilla plans to distrust new (newer than 2016-10-21) certs by StartCom and WoSign in Firefox 51 (ETA 2017-01-24): https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/, and plans to also distrust the certs completely by removing them from their root store at some point after March 2017 (or earlier if new certs would be accepted).
• Apple plans to distrust WoSign CA Free SSL Certificate G2 signed certs newer than 2016-09-19 «in an upcoming security update», and claims that «we will take further action on WoSign/StartCom trust anchors in Apple products»: https://support.apple.com/en-us/HT204132

Related: #3159.

[mscdex]

+1

[ChALkeR]

/cc @nodejs/security

[bnoordhuis]

We compile the root CA list from Mozilla's certdata.txt, it's just a matter of updating before the v8.0.0 release. The WoSign and StartCom certificates haven't been removed upstream yet, I just checked.

[ChALkeR]

@bnoordhuis I am aware of that, but they do plan removing those. As I mentioned above:

Note that they might or might not be still be present in Mozilla root store at the time of 8.0 release, but they do plan removing them.

I think that we should add an exception from that rule and remove the certs manually, because in case if they remove those certs e.g. one week later than we cut 8.0 rc/release, the LTS be stuck with the insecure certs for several more years (or a breaking update would be needed without a semver-major version bump).

[bnoordhuis]

the LTS be stuck with the insecure certs for several more years (or a breaking update would be needed without a semver-major version bump)

We can and do update certificates in minor LTS releases so that's not an issue. We did so in v4.5.0, for example (and added a WoSign certificate in the process, I wryly note.)

[ChALkeR]

@bnoordhuis Ah, if removing certs in semver-minor LTS releases is fine, then it would be much easier to adopt this change.

Another thing then — would we be able to keep the root certs until they are removed from the Mozilla root store, but distrust certs that are newer than 2016-10-21 and were signed by the affected StartCom and WoSign certs, like Google and Mozilla will do in 2017-01?

[bnoordhuis]

distrust certs that are newer than 2016-10-21 and were signed by the affected StartCom and WoSign certs

We can. We already do something similar for CNNIC-issued certificates, see #1895.

[silverwind]

I too think we should not diverge from the Mozilla's certs unless absolutely necessary.

[bnoordhuis]

Note to self: we can probably just take Mozilla's StartComAndWoSignData.inc from https://hg.mozilla.org/releases/mozilla-aurora/rev/f1024d90b420 but TBD how to deal with the back-dated certificates.

[shigeki]

We cannot check backdated certs unless Certificate Transparency is supported. Mozilla says that they deprecates WoSign/StartCom certs immediately once a backdated cert is found in the future.
I think it is best to add WoSign/StartCom checks rather than to remove their root certs since the number of issued certs by them are so large that it affects a lot of Node users.

[bnoordhuis]

My thinking was that, since there are only 60-something known back-dated certificates, we can simply hard-code their serial numbers.

[shigeki]

They are all SHA-1 certs to be expired in the end of this year. I think it has little benefits to check them only for less than 2 months.

I've just made a patch to check certs issued by StartCom and WoSign as mozilla does in
shigeki@443a5ec

If there is no objections to do it, I will submit it.