'use strict'; const common = require('../common'); if (!common.hasCrypto) { common.skip('missing crypto'); return; } // Test interaction of compiled-in CAs with user-provided CAs. const assert = require('assert'); const fs = require('fs'); const tls = require('tls'); function filenamePEM(n) { return require('path').join(common.fixturesDir, 'keys', n + '.pem'); } function loadPEM(n) { return fs.readFileSync(filenamePEM(n)); } const caCert = loadPEM('ca1-cert'); const opts = { host: 'www.nodejs.org', port: 443, rejectUnauthorized: true }; // Success relies on the compiled in well-known root CAs tls.connect(opts, common.mustCall(end)); // The .ca option replaces the well-known roots, so connection fails. opts.ca = caCert; tls.connect(opts, fail).on('error', common.mustCall((err) => { assert.strictEqual(err.message, 'unable to get local issuer certificate'); })); function fail() { assert.fail('should fail to connect'); } // New secure contexts have the well-known root CAs. opts.secureContext = tls.createSecureContext(); tls.connect(opts, common.mustCall(end)); // Explicit calls to addCACert() add to the default well-known roots, instead // of replacing, so connection still succeeds. opts.secureContext.context.addCACert(caCert); tls.connect(opts, common.mustCall(end)); function end() { this.end(); }