From fd9bb56f9a742f6c2a0d4f71d6cd40930632aa5b Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Wed, 21 Dec 2016 11:16:38 +0100 Subject: [PATCH] crypto: Use system CAs instead of using bundled ones NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: https://github.com/nodejs/node/issues/3159 PR-URL: https://github.com/nodejs/node/pull/8334 Backport-PR-URL: https://github.com/nodejs/node/pull/11794 Reviewed-By: Sam Roberts Reviewed-By: James M Snell Reviewed-By: Fedor Indutny --- configure | 7 +++++++ src/node_crypto.cc | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/configure b/configure index 06f1f9a0d3..bb810c53dc 100755 --- a/configure +++ b/configure @@ -153,6 +153,11 @@ parser.add_option('--openssl-fips', dest='openssl_fips', help='Build OpenSSL using FIPS canister .o file in supplied folder') +parser.add_option('--openssl-use-def-ca-store', + action='store_true', + dest='use_openssl_ca_store', + help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.') + shared_optgroup.add_option('--shared-http-parser', action='store_true', dest='shared_http_parser', @@ -953,6 +958,8 @@ def configure_openssl(o): o['variables']['node_use_openssl'] = b(not options.without_ssl) o['variables']['node_shared_openssl'] = b(options.shared_openssl) o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 + if options.use_openssl_ca_store: + o['defines'] += ['NODE_OPENSSL_CERT_STORE'] if options.openssl_fips: o['variables']['openssl_fips'] = options.openssl_fips fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') diff --git a/src/node_crypto.cc b/src/node_crypto.cc index b53ed24688..a9acc5dcf0 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -708,10 +708,14 @@ static X509_STORE* NewRootCertStore() { } X509_STORE* store = X509_STORE_new(); +#if defined(NODE_OPENSSL_CERT_STORE) + X509_STORE_set_default_paths(store); +#else for (X509 *cert : root_certs_vector) { X509_up_ref(cert); X509_STORE_add_cert(store, cert); } +#endif return store; }