Skip to content

tls: include OpenSSL CAs in default CA list#64269

Open
Archkon wants to merge 3 commits into
nodejs:mainfrom
Archkon:tls
Open

tls: include OpenSSL CAs in default CA list#64269
Archkon wants to merge 3 commits into
nodejs:mainfrom
Archkon:tls

Conversation

@Archkon

@Archkon Archkon commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Fixes: #64258

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings labels Jul 3, 2026
Comment thread src/crypto/crypto_context.cc
Comment thread doc/api/tls.md Outdated
@Archkon Archkon requested a review from joyeecheung July 4, 2026 03:35
@Archkon Archkon force-pushed the tls branch 2 times, most recently from 3bea054 to e73c4ad Compare July 4, 2026 18:32
@Archkon

Archkon commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

@joyeecheung
I’m not sure whether we should add support for the OpenSSL CA flag when developers pass the default type.

The existing behavior with OpenSSL CAs is that, during TLS connection setup, OpenSSL performs hash-based lookups for certificates. However, that behavior is not synchronized with what tls.getCACertificates('default') returns.

Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type.

Could you review the code by the way ? I really don't know how to support subject parse which maybe implement a
OpenSSL/RFC2253 subject parser ?

@joyeecheung

Copy link
Copy Markdown
Member

Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type.

There's also NODE_EXTRA_CA_CERTS to consider:

// Flags: --use-openssl-ca
tls.getCACertificates('default');   // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert);  // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert);  // Similar, but no certs from NODE_EXTRA_CA_CERTS

@Archkon

Archkon commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type.

There's also NODE_EXTRA_CA_CERTS to consider:

// Flags: --use-openssl-ca
tls.getCACertificates('default');   // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert);  // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert);  // Similar, but no certs from NODE_EXTRA_CA_CERTS

@joyeecheung
So are we only allowing this API to accept certificates as valid arguments, while dropping support for subject name ? And one more thing, I need calrification about how to deal with developers who call tls.getCACertificates('openssl', cert);without --use-openssl-ca as flag to pass? allow or not?

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 79.37500% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.22%. Comparing base (116302d) to head (fc25c33).

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 68.29% 13 Missing and 13 partials ⚠️
lib/tls.js 91.02% 6 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #64269      +/-   ##
==========================================
- Coverage   90.25%   90.22%   -0.03%     
==========================================
  Files         741      741              
  Lines      241339   241483     +144     
  Branches    45476    45506      +30     
==========================================
+ Hits       217810   217870      +60     
- Misses      15084    15147      +63     
- Partials     8445     8466      +21     
Files with missing lines Coverage Δ
lib/tls.js 92.64% <91.02%> (-0.50%) ⬇️
src/crypto/crypto_context.cc 72.23% <68.29%> (-0.04%) ⬇️

... and 29 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Archkon added 3 commits July 11, 2026 01:22
  When --use-openssl-ca is enabled, TLS clients use OpenSSL's
  default certificate locations, but tls.getCACertificates('default')
  did not include those certificates.

  Expose the enumerable OpenSSL default CA certificates through the
  crypto binding and include them in the default CA list returned by
  tls.getCACertificates('default').

  Also add regression coverage using SSL_CERT_FILE to avoid depending
  on the host system CA store.

Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
test

test

test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls.getCACertificates("default") always returns an empty list when using --use-openssl-ca

3 participants