mirror of https://github.com/lukechilds/node.git
Browse Source
In closed environments, self-signed or privately signed certificates are commonly used, and rejected by Node.js since their root CAs are not well-known. Allow extending the set of well-known compiled-in CAs via environment, so they can be set as a matter of policy. PR-URL: https://github.com/nodejs/node/pull/9139 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>v6
Sam Roberts
8 years ago
6 changed files with 150 additions and 0 deletions
@ -0,0 +1,43 @@ |
|||
// Setting NODE_EXTRA_CA_CERTS to non-existent file emits a warning
|
|||
|
|||
'use strict'; |
|||
const common = require('../common'); |
|||
|
|||
if (!common.hasCrypto) { |
|||
common.skip('missing crypto'); |
|||
return; |
|||
} |
|||
|
|||
const assert = require('assert'); |
|||
const tls = require('tls'); |
|||
const fork = require('child_process').fork; |
|||
|
|||
if (process.env.CHILD) { |
|||
// This will try to load the extra CA certs, and emit a warning when it fails.
|
|||
return tls.createServer({}); |
|||
} |
|||
|
|||
const env = { |
|||
CHILD: 'yes', |
|||
NODE_EXTRA_CA_CERTS: common.fixturesDir + '/no-such-file-exists', |
|||
}; |
|||
|
|||
var opts = { |
|||
env: env, |
|||
silent: true, |
|||
}; |
|||
var stderr = ''; |
|||
|
|||
fork(__filename, opts) |
|||
.on('exit', common.mustCall(function(status) { |
|||
assert.equal(status, 0, 'client did not succeed in connecting'); |
|||
})) |
|||
.on('close', common.mustCall(function() { |
|||
assert(stderr.match(new RegExp( |
|||
'Warning: Ignoring extra certs from.*no-such-file-exists' + |
|||
'.* load failed:.*No such file or directory' |
|||
)), stderr); |
|||
})) |
|||
.stderr.setEncoding('utf8').on('data', function(str) { |
|||
stderr += str; |
|||
}); |
@ -0,0 +1,45 @@ |
|||
// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation
|
|||
|
|||
'use strict'; |
|||
const common = require('../common'); |
|||
|
|||
if (!common.hasCrypto) { |
|||
common.skip('missing crypto'); |
|||
return; |
|||
} |
|||
|
|||
const assert = require('assert'); |
|||
const tls = require('tls'); |
|||
const fork = require('child_process').fork; |
|||
const fs = require('fs'); |
|||
|
|||
if (process.env.CHILD) { |
|||
const copts = { |
|||
port: process.env.PORT, |
|||
checkServerIdentity: function() {}, |
|||
}; |
|||
const client = tls.connect(copts, function() { |
|||
client.end('hi'); |
|||
}); |
|||
return; |
|||
} |
|||
|
|||
const options = { |
|||
key: fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'), |
|||
cert: fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'), |
|||
}; |
|||
|
|||
const server = tls.createServer(options, function(s) { |
|||
s.end('bye'); |
|||
server.close(); |
|||
}).listen(0, common.mustCall(function() { |
|||
const env = { |
|||
CHILD: 'yes', |
|||
PORT: this.address().port, |
|||
NODE_EXTRA_CA_CERTS: common.fixturesDir + '/keys/ca1-cert.pem', |
|||
}; |
|||
|
|||
fork(__filename, {env: env}).on('exit', common.mustCall(function(status) { |
|||
assert.equal(status, 0, 'client did not succeed in connecting'); |
|||
})); |
|||
})); |
Loading…
Reference in new issue