Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: Expose the public key of a certificate & cert sha256 #17690

Closed

Conversation

Hannes-Magnusson-CK
Copy link
Contributor

@Hannes-Magnusson-CK Hannes-Magnusson-CK commented Dec 14, 2017

Expose the raw public key of the certificate. This is needed for applications to be able to pin the public key rather then the exact certificate. This also makes it a lot easier to implement HPKP, but to be able to do proper HPKP we need to have access the the issuer certificate too, so we are now passing the "detailed" certificate to checkServerIdentity.

The certificate object contains the SHA1 fingerprint of the certificate. That is getting a little date so I've added the SHA256 as cert.fingerprint256.

Also added docs on how to do cert pinning and pubkey pinning.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
Affected core subsystem(s)
  • crypto
  • doc

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. tls Issues and PRs related to the tls subsystem. labels Dec 14, 2017
@Hannes-Magnusson-CK Hannes-Magnusson-CK changed the title Sha256 and pubkey crypto: Expose the public key of a certificate & cert sha256 Dec 15, 2017
@@ -1795,6 +1795,25 @@ static bool SafeX509ExtPrint(BIO* out, X509_EXTENSION* ext) {
}


static void addFingerprintDigest(unsigned char *md,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: could you make the * left-leaning?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. Whops :) Thanks!
I've amended the commit

@jasnell jasnell added the semver-minor PRs that contain new features and should be released in the next minor version. label Dec 18, 2017
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Calling i2d_RSA_PUBKEY() is not very cheap, calling it twice even less so. Since you make it the default, there may be performance implications.

You might be able to claw back some of the overhead with i2d_RSA_PUBKEY_bio() + an in-memory BIO so it's only decoded once, but you'd have to measure that.

@@ -1795,6 +1795,25 @@ static bool SafeX509ExtPrint(BIO* out, X509_EXTENSION* ext) {
}


static void addFingerprintDigest(unsigned char* md,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style: should be e.g.AddFingerprintDigest(). md can be const unsigned char*.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

fingerprint[(3*(md_size-1))+2] = '\0';
} else {
fingerprint[0] = '\0';
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you're here: just fingerprint[3*i] = '\0';?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand.
You mean instead of fingerprint[0]? Not sure how that makes it any more readable?

Note that 3*(md_size-1)+2 !== 3*i


int size = i2d_RSA_PUBKEY(rsa, nullptr);
Local<Object> pubbuff = Buffer::New(env, size).ToLocalChecked();
unsigned char *pubserialized = reinterpret_cast<unsigned char *>(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style: unsigned char* (star leans left) on LHS and RHS and line break after the =.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@@ -1879,6 +1898,13 @@ static Local<Object> X509ToObject(Environment* env, X509* cert) {
String::NewFromUtf8(env->isolate(), mem->data,
String::kNormalString, mem->length));
USE(BIO_reset(bio));

int size = i2d_RSA_PUBKEY(rsa, nullptr);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you CHECK_GE(size, 0) here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

info->Set(env->fingerprint_string(),
addFingerprintDigest(md, md_size, fingerprint);
info->Set(env->fingerprint_string(),
OneByteString(env->isolate(), fingerprint));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style: can you line up the arguments?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

doc/api/https.md Outdated

const options = {
checkServerIdentity: function(host, cert) {
/* Make sure the certificate is issued to the host we are connected to */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use // comments here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

doc/api/https.md Outdated
} while (cert.fingerprint256 !== lastprint256);

},
hostname: 'github.com',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put these before checkServerIdentity, they get kind of obscured now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

doc/api/https.md Outdated
const pubkey256 = 'pL1+qb9HTMRZJmuC/bB/ZI9d302BYrrqiVuRyW+DGrU=';
hash = crypto.createHash('sha256');
hash.update(cert.pubkey);
if (hash.digest('base64') !== pubkey256) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For legibility/succinctness/DRY, maybe put this in a separate function:

function sha256(s) {
  return crypto.createHash('sha256').update(s).digest('base64');
}

And then you can write:

if (pubkey256 !== sha256(cert.pubkey)) {

And below:

console.log('\tPublic key ping-sha256:', sha256(cert.pubkey));  // also note the , instead of +

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, good idea.

unsigned char md[EVP_MAX_MD_SIZE];
unsigned int md_size;
char fingerprint[EVP_MAX_MD_SIZE * 3];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you're here, can you change that to EVP_MAX_MD_SIZE * 3 + 1? There is a (hypothetical) write-after-end in case md_size == EVP_MAX_MD_SIZE. (Hypothetical because that can only happen with SHA-512.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@@ -1795,6 +1795,25 @@ static bool SafeX509ExtPrint(BIO* out, X509_EXTENSION* ext) {
}


static void addFingerprintDigest(unsigned char* md,
unsigned int md_size,
char* fingerprint) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you change this to char (*fingerprint)[3 * EVP_MAX_MD_SIZE + 1], then people can never inadvertently pass a buffer that's too small and the compiler is more likely to warn you when you try to write past the end. You index into it with (*fingerprint)[3*i] = ....

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Good catch

@joyeecheung
Copy link
Member

@Hannes-Magnusson-CK Can you address the comments by @bnoordhuis ? Thanks!

@Hannes-Magnusson-CK
Copy link
Contributor Author

Whooops. I lost track of this and missed the comments. Thanks for the review @bnoordhuis & @jasnell ! I'll try to address the comments by the end of week.

@BridgeAR BridgeAR added the wip Issues and PRs that are still a work in progress. label Jan 19, 2018
Copy link
Contributor Author

@Hannes-Magnusson-CK Hannes-Magnusson-CK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe I've addressed all the feedback.
Thank you @bnoordhuis so much for thorough review!

As for the performance of i2d_RSA_PUBKEY() I haven't been able to reproduce a performance issue there that isn't drowned out by the actual tls handshake itself.

doc/api/https.md Outdated

const options = {
checkServerIdentity: function(host, cert) {
/* Make sure the certificate is issued to the host we are connected to */
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

doc/api/https.md Outdated
const pubkey256 = 'pL1+qb9HTMRZJmuC/bB/ZI9d302BYrrqiVuRyW+DGrU=';
hash = crypto.createHash('sha256');
hash.update(cert.pubkey);
if (hash.digest('base64') !== pubkey256) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, good idea.

doc/api/https.md Outdated
} while (cert.fingerprint256 !== lastprint256);

},
hostname: 'github.com',
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@@ -1795,6 +1795,25 @@ static bool SafeX509ExtPrint(BIO* out, X509_EXTENSION* ext) {
}


static void addFingerprintDigest(unsigned char* md,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@@ -1795,6 +1795,25 @@ static bool SafeX509ExtPrint(BIO* out, X509_EXTENSION* ext) {
}


static void addFingerprintDigest(unsigned char* md,
unsigned int md_size,
char* fingerprint) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Good catch


int size = i2d_RSA_PUBKEY(rsa, nullptr);
Local<Object> pubbuff = Buffer::New(env, size).ToLocalChecked();
unsigned char *pubserialized = reinterpret_cast<unsigned char *>(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

unsigned char md[EVP_MAX_MD_SIZE];
unsigned int md_size;
char fingerprint[EVP_MAX_MD_SIZE * 3];
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

info->Set(env->fingerprint_string(),
addFingerprintDigest(md, md_size, fingerprint);
info->Set(env->fingerprint_string(),
OneByteString(env->isolate(), fingerprint));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

const fixtures = require('../common/fixtures');
if (!common.hasCrypto) {
common.skip('missing crypto');
return;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

':4C:A4:00:53:93:A9:66:07:A7:BC:13:32'
);

/* SHA256 fingerprint of the public key */
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored it into sha256 function as you pointed out earlier

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM with some closing comments.

CI: https://ci.nodejs.org/job/node-test-commit/15594/

doc/api/https.md Outdated
* Print the certificate and public key fingerprints of all certs in the
* chain. Its common to pin the public key of the issuer on the public
* internet, while pinning the public key of the service in sensitive
* environments.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use // comments here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

doc/api/https.md Outdated
*/
do {
console.log('Subject Common Name: ' + cert.subject.CN);
console.log('\tCertificate SHA256 fingerprint: ' + cert.fingerprint256);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

,, not +, and then you don't need the blank after the semicolon. Ditto three lines below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

magic =)
done

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also fixed the '\t' to 2spaces has the ci linter complained about tab being used in the output text

Copy link
Contributor Author

@Hannes-Magnusson-CK Hannes-Magnusson-CK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the thorough review !

doc/api/https.md Outdated
* Print the certificate and public key fingerprints of all certs in the
* chain. Its common to pin the public key of the issuer on the public
* internet, while pinning the public key of the service in sensitive
* environments.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

doc/api/https.md Outdated
*/
do {
console.log('Subject Common Name: ' + cert.subject.CN);
console.log('\tCertificate SHA256 fingerprint: ' + cert.fingerprint256);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

magic =)
done

doc/api/https.md Outdated
*/
do {
console.log('Subject Common Name: ' + cert.subject.CN);
console.log('\tCertificate SHA256 fingerprint: ' + cert.fingerprint256);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also fixed the '\t' to 2spaces has the ci linter complained about tab being used in the output text

@bnoordhuis bnoordhuis added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. and removed wip Issues and PRs that are still a work in progress. labels Jan 23, 2018
@bnoordhuis
Copy link
Member

The two CI failures are known flakes. This should be good to go.

@BridgeAR
Copy link
Member

BridgeAR commented Feb 1, 2018

@Hannes-Magnusson-CK this needs a rebase.

@BridgeAR BridgeAR removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Feb 1, 2018
@Hannes-Magnusson-CK
Copy link
Contributor Author

Rebased on current master, fixed the conflict, and squashed couple of commits

@BridgeAR
Copy link
Member

BridgeAR commented Feb 7, 2018

@Hannes-Magnusson-CK I am very sorry but this needs another rebase :/

@Hannes-Magnusson-CK
Copy link
Contributor Author

Simple rebase this time, done :)

@BridgeAR
Copy link
Member

BridgeAR commented Feb 7, 2018

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Feb 7, 2018
@BridgeAR
Copy link
Member

Hm, it seems like there was a older conflicting PR #16402. That one just landed and the current code has to be rebased. @Hannes-Magnusson-CK I have the feeling this PR is now obsolete but I might be wrong. If so: I am sorry that this was not detected earlier. Otherwise it would be great if you could check what is necessary and what not! Thanks for being so patient and for sticking to it! That is much appreciated.

addaleax pushed a commit to addaleax/node that referenced this pull request Mar 5, 2018
PR-URL: nodejs#17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@MylesBorins
Copy link
Contributor

Should this be backported to v9.x-staging? If yes please follow the guide and raise a backport PR, if not let me know or add the dont-land-on label.

@MylesBorins
Copy link
Contributor

it looks like 7876aeb already made itself into a release

@MylesBorins MylesBorins mentioned this pull request Mar 6, 2018
@Hannes-Magnusson-CK
Copy link
Contributor Author

The other 3 commits don't seem to be included in that branch.
@MylesBorins should I follow the guide to create a PR for v9.8.0-proposal?
Or is that something @addaleax is working on? (looks like @addaleax included one of the commits already)

MylesBorins added a commit that referenced this pull request Mar 6, 2018
Notable Changes:

* crypto:
  - add cert.fingerprint256 as SHA256 fingerprint (Hannes Magnusson)
    #17690
* lib:
  - v8_prof_processor works again 🎉 (Anna Henningsen)
    #19059
* loader:
  - --inspect-brk now works properly for esmodules (Gus Caplan)
    #18949
* src:
  - handle exceptions in env-\>SetImmediates (James M Snell)
    #18297
  - make process.dlopen() load well-known symbol (Ben Noordhuis)
    #18934
* trace_events:
  - add file pattern cli option (Andreas Madsen)
    #18480

PR-URL: #19181
MylesBorins added a commit that referenced this pull request Mar 7, 2018
Notable Changes:

* crypto:
  - add cert.fingerprint256 as SHA256 fingerprint (Hannes Magnusson)
    #17690
* lib:
  - v8_prof_processor works again 🎉 (Anna Henningsen)
    #19059
* loader:
  - --inspect-brk now works properly for esmodules (Gus Caplan)
    #18949
* src:
  - handle exceptions in env-\>SetImmediates (James M Snell)
    #18297
  - make process.dlopen() load well-known symbol (Ben Noordhuis)
    #18934
* trace_events:
  - add file pattern cli option (Andreas Madsen)
    #18480

PR-URL: #19181
MylesBorins added a commit that referenced this pull request Mar 7, 2018
Notable Changes:

* crypto:
  - add cert.fingerprint256 as SHA256 fingerprint (Hannes Magnusson)
    #17690
* http2:
  - Fixed issues with aborted connections in the HTTP/2 implementation
    (Anna Henningsen)
    #18987
    #19002
* loader:
  - --inspect-brk now works properly for esmodules (Gus Caplan)
    #18949
* src:
  - make process.dlopen() load well-known symbol (Ben Noordhuis)
    #18934
* trace_events:
  - add file pattern cli option (Andreas Madsen)
    #18480
* Added new collaborators:
  - Chen Gang (MoonBall) https://github.com/MoonBall

PR-URL: #19181
MylesBorins added a commit that referenced this pull request Mar 8, 2018
Notable Changes:

* crypto:
  - add cert.fingerprint256 as SHA256 fingerprint (Hannes Magnusson)
    #17690
* http2:
  - Fixed issues with aborted connections in the HTTP/2 implementation
    (Anna Henningsen)
    #18987
    #19002
* loader:
  - --inspect-brk now works properly for esmodules (Gus Caplan)
    #18949
* src:
  - make process.dlopen() load well-known symbol (Ben Noordhuis)
    #18934
* trace_events:
  - add file pattern cli option (Andreas Madsen)
    #18480
* Added new collaborators:
  - Chen Gang (MoonBall) https://github.com/MoonBall

PR-URL: #19181
@MylesBorins
Copy link
Contributor

@Hannes-Magnusson-CK no need to make a proposal for the release, what would really help would be making sure every commit from this PR made it on to the staging branch

@Hannes-Magnusson-CK
Copy link
Contributor Author

Looks like v10.x-staging is up2date with all the commits here. Thanks @MylesBorins !

@MylesBorins
Copy link
Contributor

To clarify. This PR has not landed in it's entirety on v9.x. Could someone please open up a backport PR

@targos targos removed author ready PRs that have at least one approval, no pending requests for changes, and a CI started. backport-requested-v9.x labels Mar 24, 2018
@targos
Copy link
Member

targos commented Mar 24, 2018

There was just one trivial conflict to solve, no need for a backport

targos pushed a commit that referenced this pull request Mar 24, 2018
PR-URL: #17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
targos pushed a commit that referenced this pull request Mar 24, 2018
PR-URL: #17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
targos pushed a commit that referenced this pull request Mar 24, 2018
Include example on how to pin certificate and/or public key

PR-URL: #17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
targos added a commit that referenced this pull request Mar 27, 2018
Notable changes:

* cluster:
  - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
    #19165
* crypto:
  - Expose the public key of a certificate (Hannes Magnusson)
    #17690
* n-api:
  - Add `napi_fatal_exception` to trigger an `uncaughtException` in
    JavaScript (Mathias Buus)
    #19337
* path:
  - Fix regression in `posix.normalize` (Michaël Zasso)
    #19520
* stream:
  - Improve stream creation performance (Brian White)
    #19401
* Added new collaborators
  - [BethGriggs](https://github.com/BethGriggs) Beth Griggs
MylesBorins pushed a commit that referenced this pull request Mar 28, 2018
This is a security release. All Node.js users should consult the
security release summary at:

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160

Notable changes:

* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
  are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
  A malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP
  connections to localhost or to hosts on the local network,
  potentially to an open inspector port as a debugger, therefore
  gaining full code execution access. The inspector now only allows
  connections that have a browser `Host` value of `localhost` or
  `localhost6`.
* **Fix for `'path'` module regular expression denial of service
  (CVE-2018-7158)**: A regular expression used for parsing POSIX an
  Windows paths could be used to cause a denial of service if an
  attacker were able to have a specially crafted path string passed
  through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
  (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
  `Content-Length` header values. Such values now lead to rejected
  connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
  been added to the Node.js binary and 30 have been removed.

* cluster:
  - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
    #19165
* crypto:
  - Expose the public key of a certificate (Hannes Magnusson)
    #17690
* n-api:
  - Add `napi_fatal_exception` to trigger an `uncaughtException` in
    JavaScript (Mathias Buus)
    #19337
* path:
  - Fix regression in `posix.normalize` (Michaël Zasso)
    #19520
* stream:
  - Improve stream creation performance (Brian White)
    #19401
* Added new collaborators
  - [BethGriggs](https://github.com/BethGriggs) Beth Griggs

PR-URL: https://github.com/nodejs-private/node-private/pull/111
MayaLekova pushed a commit to MayaLekova/node that referenced this pull request May 8, 2018
PR-URL: nodejs#17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
MayaLekova pushed a commit to MayaLekova/node that referenced this pull request May 8, 2018
PR-URL: nodejs#17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
MayaLekova pushed a commit to MayaLekova/node that referenced this pull request May 8, 2018
PR-URL: nodejs#17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
MayaLekova pushed a commit to MayaLekova/node that referenced this pull request May 8, 2018
Include example on how to pin certificate and/or public key

PR-URL: nodejs#17690
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
MayaLekova pushed a commit to MayaLekova/node that referenced this pull request May 8, 2018
Notable Changes:

* crypto:
  - add cert.fingerprint256 as SHA256 fingerprint (Hannes Magnusson)
    nodejs#17690
* http2:
  - Fixed issues with aborted connections in the HTTP/2 implementation
    (Anna Henningsen)
    nodejs#18987
    nodejs#19002
* loader:
  - --inspect-brk now works properly for esmodules (Gus Caplan)
    nodejs#18949
* src:
  - make process.dlopen() load well-known symbol (Ben Noordhuis)
    nodejs#18934
* trace_events:
  - add file pattern cli option (Andreas Madsen)
    nodejs#18480
* Added new collaborators:
  - Chen Gang (MoonBall) https://github.com/MoonBall

PR-URL: nodejs#19181
@MylesBorins
Copy link
Contributor

is this something we would want to backport to v8.x?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. semver-minor PRs that contain new features and should be released in the next minor version. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants