Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit fd9bb56

Browse filesBrowse files
AdamMajerMylesBorins
AdamMajer
authored and
MylesBorins
committed
crypto: Use system CAs instead of using bundled ones
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: #3159 PR-URL: #8334 Backport-PR-URL: #11794 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
1 parent bbfd2e3 commit fd9bb56
Copy full SHA for fd9bb56

File tree

Expand file treeCollapse file tree

2 files changed

+11
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+11
-0
lines changed
Open diff view settings
Collapse file

‎configure‎

Copy file name to clipboardExpand all lines: configure
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,11 @@ parser.add_option('--openssl-fips',
153153
dest='openssl_fips',
154154
help='Build OpenSSL using FIPS canister .o file in supplied folder')
155155

156+
parser.add_option('--openssl-use-def-ca-store',
157+
action='store_true',
158+
dest='use_openssl_ca_store',
159+
help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
160+
156161
shared_optgroup.add_option('--shared-http-parser',
157162
action='store_true',
158163
dest='shared_http_parser',
@@ -953,6 +958,8 @@ def configure_openssl(o):
953958
o['variables']['node_use_openssl'] = b(not options.without_ssl)
954959
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
955960
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
961+
if options.use_openssl_ca_store:
962+
o['defines'] += ['NODE_OPENSSL_CERT_STORE']
956963
if options.openssl_fips:
957964
o['variables']['openssl_fips'] = options.openssl_fips
958965
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
Collapse file

‎src/node_crypto.cc‎

Copy file name to clipboardExpand all lines: src/node_crypto.cc
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -708,10 +708,14 @@ static X509_STORE* NewRootCertStore() {
708708
}
709709

710710
X509_STORE* store = X509_STORE_new();
711+
#if defined(NODE_OPENSSL_CERT_STORE)
712+
X509_STORE_set_default_paths(store);
713+
#else
711714
for (X509 *cert : root_certs_vector) {
712715
X509_up_ref(cert);
713716
X509_STORE_add_cert(store, cert);
714717
}
718+
#endif
715719

716720
return store;
717721
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.