profile
viewpoint
Shigeki Ohtsu shigeki Tokyo, Japan

shigeki/node-class-diagram 62

Class Diagram of Node.js

shigeki/code_and_learn_nodefest_tokyo_2016 15

Code and Learn in Node Festival Tokyo 2016

shigeki/ask_nishida_about_quic_jp 10

QUICトランスポート機能に関して tcpm/mptcp wg chair の西田先生にいろいろ聞いてみる会

shigeki/node-v0.x-archive 8

evented I/O for v8 javascript

shigeki/interop-iij-http2 6

Information for HTTP/20 interop testing for iij-http2

shigeki/seccamp2015-crypto-workshopper 4

seccamp2015-crypto-workshopper

shigeki/libquic 3

QUIC, a multiplexed stream transport over UDP

shigeki/seccamp2015 3

Security Camp 2015

shigeki/seccamp2015-buffer-workshopper 2

seccamp2015-buffer-workshopper

Pull request review commentampproject/amppackager

Fix certcache to allow self-signed certs.

 const maxOCSPResponseBytes = 1024 * 1024 // How often to check if OCSP stapling needs updating. const ocspCheckInterval = 1 * time.Hour +// Sentinel value used to communicate that a returned OCSP was fake, and the caller should not attempt to parse it.+// No, I'm not proud.+var fakeOCSP = []byte("fake ocsp response")

The error can be resolved with the fix of https://play.golang.org/p/CvVyUD-_tji . The private key needs to be the issuer key which corresponds to the self-signed cert key in this case.

twifkak

comment created time in 3 months

Pull request review commentampproject/amppackager

Fix certcache to allow self-signed certs.

 const maxOCSPResponseBytes = 1024 * 1024 // How often to check if OCSP stapling needs updating. const ocspCheckInterval = 1 * time.Hour +// Sentinel value used to communicate that a returned OCSP was fake, and the caller should not attempt to parse it.+// No, I'm not proud.+var fakeOCSP = []byte("fake ocsp response")

It is possible to create a valid OCSP response by using the private key of a self-signed cert such as gateway.go does. But it needs two certs to have the same private key. https://github.com/ampproject/amppackager/blob/c9993b8ac4d17d1f05d3a1289956dadf3f9c370a/cmd/gateway_server/server.go#L148-L161

Or we can add an additional config to specify the issuer private key file to create a valid OCSP response.

twifkak

comment created time in 4 months

startedthekuwayama/tttls1.3

started time in 5 months

PR closed nodejs/node

deps: define OPENSSLDIR and ENGINESDIR explicitly openssl v8.x

According to CVE-2019-1552(*), it is encouraged to change OPENSSLDIR from the default of /usr/local/ssl to a privileged directory on Windows. "C:\Program Files\Common Files\SSL" is set as it is the default path in OpenSSL-1.1.1.

This is also described in https://github.com/openssl/openssl/commit/d333ebaf9c77332754a9d5e111e2f53e1de54fdd for the forthcoming release of OpenSSL-1.0.2t.

It breaks the compatibility of the OPENSSLDIR path with the previous v8 LTS releases. For v8 LTS will be ended after 4 months and its severity is LOW, I do not mind if this is not fixed.

(*) https://www.openssl.org/news/secadv/20190730.txt

Fixes: https://github.com/nodejs/node/issues/29445

<!-- Thank you for your pull request. Please provide a description above and review the requirements below.

Bug fixes and new features should include tests and possibly benchmarks.

Contributors guide: https://github.com/nodejs/node/blob/master/CONTRIBUTING.md -->

Checklist

<!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->

  • [x] make -j4 test (UNIX), or vcbuild test (Windows) passes
  • [ ] tests and/or benchmarks are included
  • [ ] documentation is changed or added
  • [x] commit message follows commit guidelines

<!-- Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or

(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

(d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. -->

+2 -0

6 comments

1 changed file

shigeki

pr closed time in 5 months

pull request commentnodejs/node

deps: define OPENSSLDIR and ENGINESDIR explicitly

Close this for we agreed not to land this.

shigeki

comment created time in 5 months

issue commentnodejs/node

OpenSSL sec releases upcoming

Security Advisory was announced in https://www.openssl.org/news/secadv/20190910.txt.

Here are my assessments.

  • ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing.

  • Fork Protection (CVE-2019-1549) Affected. We do not have the crypto initialization of OPENSSL_INIT_ATFORK. Child processes would have the same random state as the parent. But I think it would be hard to attack it.

  • Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) Not affected. Node does not support PCKS7 and CMS.

sam-github

comment created time in 5 months

pull request commentnodejs/node

deps: define OPENSSLDIR and ENGINESDIR explicitly

Once concern is what happens if you upgrade from an earlier version and had config files in /usr/local/ssl. Would you run without the configuration you expected and not know it?

It depends. openssl.cnf can change various default values such as TLS versions and ciphers. Some changes might be known to a user but some might not.

Maybe we should look to see if there is config in /usr/local/ssl and warn that it's not going to be used in the current version?

/usr/local/ssl has no problems if it is protected by the privileged user. Node-v10 and later had a bug of the default path setting on Windows. No one would use it.

shigeki

comment created time in 5 months

more