tls: include OpenSSL CAs in default CA list#64269
Conversation
|
Review requested:
|
3bea054 to
e73c4ad
Compare
|
@joyeecheung The existing behavior with OpenSSL CAs is that, during TLS connection setup, OpenSSL performs hash-based lookups for certificates. However, that behavior is not synchronized with what tls.getCACertificates('default') returns. Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type. Could you review the code by the way ? I really don't know how to support subject parse which maybe implement a |
There's also NODE_EXTRA_CA_CERTS to consider: // Flags: --use-openssl-ca
tls.getCACertificates('default'); // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert); // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert); // Similar, but no certs from NODE_EXTRA_CA_CERTS |
@joyeecheung |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #64269 +/- ##
==========================================
- Coverage 90.25% 90.22% -0.03%
==========================================
Files 741 741
Lines 241339 241483 +144
Branches 45476 45506 +30
==========================================
+ Hits 217810 217870 +60
- Misses 15084 15147 +63
- Partials 8445 8466 +21
🚀 New features to boost your workflow:
|
When --use-openssl-ca is enabled, TLS clients use OpenSSL's
default certificate locations, but tls.getCACertificates('default')
did not include those certificates.
Expose the enumerable OpenSSL default CA certificates through the
crypto binding and include them in the default CA list returned by
tls.getCACertificates('default').
Also add regression coverage using SSL_CERT_FILE to avoid depending
on the host system CA store.
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Fixes: #64258