From e0aac817a87c927f70a6f8edb63a4103a4109dfc Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 Dec 2015 16:29:07 -0500 Subject: [PATCH 2/2] Do not bundle CA Certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CA Certificates are provided by Fedora. Forwarded: need some feedback before submitting the matter upstream Author: Jérémy Lal Last-Update: 2014-03-02 Modified 2014-05-02 by T.C. Hollingsworth with the correct path for Fedora Modified 2015-12-01 by Stephen Gallagher to update for Node.js 4.2 Modified 2016-03-04 by Stephen Gallagher to update for Node.js 5.7.1 --- src/node_crypto.cc | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index acd83e9f2f41ade75ee9a3c8061acfa8b3dbf0f4..70ffe035f8be24b2eb6daf71185649d8ae7d579f 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -119,11 +119,11 @@ static X509_NAME *cnnic_ev_name = sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1); static uv_mutex_t* locks; const char* const root_certs[] = { -#include "node_root_certs.h" // NOLINT(build/include_order) + NULL }; X509_STORE* root_cert_store; // Just to generate static methods @@ -748,33 +748,21 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { (void) &clear_error_on_return; // Silence compiler warning. CHECK_EQ(sc->ca_store_, nullptr); if (!root_cert_store) { - root_cert_store = X509_STORE_new(); - - for (size_t i = 0; i < ARRAY_SIZE(root_certs); i++) { - BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); - if (bp == nullptr) { - return; - } - - X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); - if (x509 == nullptr) { - BIO_free_all(bp); - return; - } - - X509_STORE_add_cert(root_cert_store, x509); - - BIO_free_all(bp); - X509_free(x509); + if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) { + root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); + } else { + // empty store + root_cert_store = X509_STORE_new(); } + } else { + SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); } sc->ca_store_ = root_cert_store; - SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); } void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { SecureContext* sc = Unwrap(args.Holder()); -- 2.7.2