From 58c110a74377171587a6ef28a6d5dff1f29a7d52 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 Dec 2015 16:29:07 -0500 Subject: [PATCH 2/2] Do not bundle CA Certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CA Certificates are provided by Fedora. Forwarded: need some feedback before submitting the matter upstream Author: Jérémy Lal Last-Update: 2014-03-02 Modified 2014-05-02 by T.C. Hollingsworth with the correct path for Fedora Modified 2015-12-01 by Stephen Gallagher to update for Node.js 4.2 --- src/node_crypto.cc | 31 ++++++++----------------------- 1 file changed, 8 insertions(+), 23 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 7911ce9..60516ad 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -119,7 +119,7 @@ static X509_NAME *cnnic_ev_name = static uv_mutex_t* locks; const char* const root_certs[] = { -#include "node_root_certs.h" // NOLINT(build/include_order) + NULL }; X509_STORE* root_cert_store; @@ -763,32 +763,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { CHECK_EQ(sc->ca_store_, nullptr); if (!root_cert_store) { - root_cert_store = X509_STORE_new(); - - for (size_t i = 0; i < ARRAY_SIZE(root_certs); i++) { - BIO* bp = NodeBIO::New(); - - if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) { - BIO_free_all(bp); - return; - } - - X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); - - if (x509 == nullptr) { - BIO_free_all(bp); - return; - } - - X509_STORE_add_cert(root_cert_store, x509); - - BIO_free_all(bp); - X509_free(x509); + if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) { + root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); + } else { + // empty store + root_cert_store = X509_STORE_new(); } + } else { + SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); } sc->ca_store_ = root_cert_store; - SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); } -- 2.5.0