diff --git a/nodejs-use-system-certs.patch b/nodejs-use-system-certs.patch new file mode 100644 index 0000000..fe2abab --- /dev/null +++ b/nodejs-use-system-certs.patch @@ -0,0 +1,58 @@ +Description: do not bundle CA certificates, openssl on Debian have them + As a consequence, nodejs must depend on ca-certificates. +Forwarded: need some feedback before submitting the matter upstream +Author: Jérémy Lal +Last-Update: 2014-03-02 + +Modified 2014-05-02 by T.C. Hollingsworth with the +correct path for Fedora +--- a/src/node_crypto.cc ++++ b/src/node_crypto.cc +@@ -64,7 +64,6 @@ + namespace node { + + const char* root_certs[] = { +-#include "node_root_certs.h" // NOLINT(build/include_order) + NULL + }; + +@@ -561,32 +560,16 @@ + assert(sc->ca_store_ == NULL); + + if (!root_cert_store) { +- root_cert_store = X509_STORE_new(); +- +- for (int i = 0; root_certs[i]; i++) { +- BIO *bp = BIO_new(BIO_s_mem()); +- +- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) { +- BIO_free(bp); +- return False(); +- } +- +- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL); +- +- if (x509 == NULL) { +- BIO_free(bp); +- return False(); +- } +- +- X509_STORE_add_cert(root_cert_store, x509); +- +- BIO_free(bp); +- X509_free(x509); ++ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) { ++ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); ++ } else { ++ // empty store ++ root_cert_store = X509_STORE_new(); + } ++ } else { ++ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); + } +- + sc->ca_store_ = root_cert_store; +- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); + + return True(); + } diff --git a/nodejs.spec b/nodejs.spec index 41fef8d..cf01c5a 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,6 +1,6 @@ Name: nodejs Version: 0.10.28 -Release: 1%{?dist} +Release: 2%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -23,6 +23,11 @@ Source7: nodejs_native.attr # Disable running gyp on bundled deps we don't use Patch1: nodejs-disable-gyp-deps.patch +# use system certificates instead of the bundled ones +# modified version of Debian patch: +# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch +Patch2: nodejs-use-system-certs.patch + # V8 presently breaks ABI at least every x.y release while never bumping SONAME, # so we need to be more explicit until spot fixes that %global v8_ge 1:3.14.5.7 @@ -40,6 +45,9 @@ BuildRequires: openssl-devel >= 1:1.0.1 Requires: v8%{?_isa} >= %{v8_ge} Requires: v8%{?_isa} < %{v8_lt} +# we need the system certificate store when Patch2 is applied +Requires: ca-certificates + #we need ABI virtual provides where SONAMEs aren't enough/not present so deps #break when binary compatibility is broken %global nodejs_abi 0.10 @@ -83,10 +91,15 @@ The API documentation for the Node.js JavaScript runtime. %prep %setup -q -n node-v%{version} -%patch1 -p1 +# remove bundled dependencies +%patch1 -p1 rm -rf deps +# remove bundled CA certificates +%patch2 -p1 +rm -f src/node_root_certs.h + %build # build with debugging symbols and add defines from libuv (#892601) export CFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' @@ -160,6 +173,12 @@ cp -p common.gypi %{buildroot}%{_datadir}/node %{_defaultdocdir}/%{name}-docs-%{version} %changelog +* Sat May 03 2014 T.C. Hollingsworth - 0.10.28-2 +- use the system certificate store instead of the bundled copy + both are based on the Mozilla CA list, so the only effect this should have is + making additional certificates added by the system administrator available to + node + * Sat May 03 2014 T.C. Hollingsworth - 0.10.28-1 - new upstream release 0.10.28 There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only