2016-07-10 18:03:45 +00:00
|
|
|
From e51cf2ad2627af02e88df48287fe510e885ba1dc Mon Sep 17 00:00:00 2001
|
2015-12-02 00:48:58 +00:00
|
|
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
Date: Tue, 1 Dec 2015 16:29:07 -0500
|
|
|
|
|
Subject: [PATCH 2/2] Do not bundle CA Certificates
|
|
|
|
|
MIME-Version: 1.0
|
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
|
|
CA Certificates are provided by Fedora.
|
|
|
|
|
|
2014-05-03 01:24:05 +00:00
|
|
|
Forwarded: need some feedback before submitting the matter upstream
|
2016-07-10 18:03:45 +00:00
|
|
|
Author: J?r?my Lal <kapouer@melix.org>
|
2014-05-03 01:24:05 +00:00
|
|
|
Last-Update: 2014-03-02
|
|
|
|
|
|
|
|
|
|
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
|
|
|
|
|
correct path for Fedora
|
2015-12-02 00:48:58 +00:00
|
|
|
|
|
|
|
|
Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
|
|
|
|
|
Node.js 4.2
|
2016-03-04 17:25:36 +00:00
|
|
|
|
|
|
|
|
Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
|
|
|
|
|
Node.js 5.7.1
|
2015-12-02 00:48:58 +00:00
|
|
|
|
2016-04-25 18:20:21 +00:00
|
|
|
Modified 2016-04-25 by Joseph Wang <joequant@gmail.com> to update for
|
|
|
|
|
Node.js 5.11.0
|
2016-07-10 18:03:45 +00:00
|
|
|
|
|
|
|
|
Modified 2016-07-10 by Zuzana Svetlikova <zsvetlik@redhat.com> to update for
|
|
|
|
|
Node.js 6.3.0
|
|
|
|
|
|
|
|
|
|
--- node/src/node_crypto.cc 2016-07-10 19:03:17.184502913 +0200
|
|
|
|
|
+++ node_crypto.cc 2016-07-10 18:56:28.956440528 +0200
|
|
|
|
|
@@ -118,7 +118,7 @@
|
|
|
|
|
static Mutex* mutexes;
|
2014-05-03 01:24:05 +00:00
|
|
|
|
2015-12-02 00:48:58 +00:00
|
|
|
const char* const root_certs[] = {
|
2014-05-03 01:24:05 +00:00
|
|
|
-#include "node_root_certs.h" // NOLINT(build/include_order)
|
2016-07-10 18:03:45 +00:00
|
|
|
+ NULL
|
2014-05-03 01:24:05 +00:00
|
|
|
};
|
|
|
|
|
|
2015-12-02 00:48:58 +00:00
|
|
|
X509_STORE* root_cert_store;
|
2016-07-10 18:03:45 +00:00
|
|
|
@@ -752,29 +752,17 @@
|
2015-12-02 00:48:58 +00:00
|
|
|
CHECK_EQ(sc->ca_store_, nullptr);
|
2014-05-03 01:24:05 +00:00
|
|
|
|
|
|
|
|
if (!root_cert_store) {
|
|
|
|
|
- root_cert_store = X509_STORE_new();
|
|
|
|
|
-
|
2016-04-25 18:20:21 +00:00
|
|
|
- for (size_t i = 0; i < arraysize(root_certs); i++) {
|
2016-03-04 17:25:36 +00:00
|
|
|
- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
|
|
|
|
|
- if (bp == nullptr) {
|
2015-12-02 00:48:58 +00:00
|
|
|
- return;
|
2014-05-03 01:24:05 +00:00
|
|
|
- }
|
|
|
|
|
-
|
2015-12-02 00:48:58 +00:00
|
|
|
- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
|
|
|
|
|
- if (x509 == nullptr) {
|
|
|
|
|
- BIO_free_all(bp);
|
|
|
|
|
- return;
|
2014-05-03 01:24:05 +00:00
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- X509_STORE_add_cert(root_cert_store, x509);
|
|
|
|
|
-
|
2015-12-02 00:48:58 +00:00
|
|
|
- BIO_free_all(bp);
|
2014-05-03 01:24:05 +00:00
|
|
|
- X509_free(x509);
|
|
|
|
|
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
|
|
|
|
|
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ // empty store
|
|
|
|
|
+ root_cert_store = X509_STORE_new();
|
|
|
|
|
}
|
|
|
|
|
+ } else {
|
2016-04-25 18:20:21 +00:00
|
|
|
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
|
2014-05-03 01:24:05 +00:00
|
|
|
}
|
2015-12-02 00:48:58 +00:00
|
|
|
|
2014-05-03 01:24:05 +00:00
|
|
|
sc->ca_store_ = root_cert_store;
|
|
|
|
|
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
|
|
|
|
|
}
|
2015-12-02 00:48:58 +00:00
|
|
|
|
|
|
|
|
|
