1b7255bc99
https://nodejs.org/en/blog/release/v6.10.0/ New patch for handling system CA certificates
85 lines
2.9 KiB
Diff
85 lines
2.9 KiB
Diff
From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001
|
|
From: Adam Majer <amajer@suse.de>
|
|
Date: Wed, 21 Dec 2016 11:16:38 +0100
|
|
Subject: [PATCH 3/4] crypto: Use system CAs instead of using bundled ones
|
|
|
|
NodeJS can already use an external, shared OpenSSL library. This
|
|
library knows where to look for OS managed certificates. Allow
|
|
a compile-time option to use this CA store by default instead of
|
|
using bundled certificates.
|
|
|
|
In case when using bundled OpenSSL, the paths are also valid for
|
|
majority of Linux systems without additional intervention. If
|
|
this is not set, we can use SSL_CERT_DIR to point it to correct
|
|
location.
|
|
|
|
Fixes: https://github.com/nodejs/node/issues/3159
|
|
PR-URL: https://github.com/nodejs/node/pull/8334
|
|
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
|
|
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
|
|
---
|
|
configure | 7 +++++++
|
|
src/node_crypto.cc | 4 ++++
|
|
2 files changed, 11 insertions(+)
|
|
|
|
diff --git a/configure b/configure
|
|
index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755
|
|
--- a/configure
|
|
+++ b/configure
|
|
@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm",
|
|
parser.add_option('--openssl-fips',
|
|
action='store',
|
|
dest='openssl_fips',
|
|
help='Build OpenSSL using FIPS canister .o file in supplied folder')
|
|
|
|
+parser.add_option('--openssl-use-def-ca-store',
|
|
+ action='store_true',
|
|
+ dest='use_openssl_ca_store',
|
|
+ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
|
|
+
|
|
shared_optgroup.add_option('--shared-http-parser',
|
|
action='store_true',
|
|
dest='shared_http_parser',
|
|
help='link to a shared http_parser DLL instead of static linking')
|
|
|
|
@@ -937,10 +942,12 @@ def configure_v8(o):
|
|
|
|
def configure_openssl(o):
|
|
o['variables']['node_use_openssl'] = b(not options.without_ssl)
|
|
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
|
|
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
|
|
+ if options.use_openssl_ca_store:
|
|
+ o['defines'] += ['NODE_OPENSSL_CERT_STORE']
|
|
if options.openssl_fips:
|
|
o['variables']['openssl_fips'] = options.openssl_fips
|
|
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
|
|
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
|
|
o['make_fips_settings'] = [
|
|
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
|
index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644
|
|
--- a/src/node_crypto.cc
|
|
+++ b/src/node_crypto.cc
|
|
@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() {
|
|
root_certs_vector->push_back(x509);
|
|
}
|
|
}
|
|
|
|
X509_STORE* store = X509_STORE_new();
|
|
+#if defined(NODE_OPENSSL_CERT_STORE)
|
|
+ X509_STORE_set_default_paths(store);
|
|
+#else
|
|
for (auto& cert : *root_certs_vector) {
|
|
X509_up_ref(cert);
|
|
X509_STORE_add_cert(store, cert);
|
|
}
|
|
+#endif
|
|
|
|
return store;
|
|
}
|
|
|
|
|
|
--
|
|
2.12.0
|
|
|