From: Jakub Jirutka <jakub@jirutka.cz>
Date: Sat, 26 Nov 2016 21:18:00 +0200
Subject: Use system-provided CA certificates instead of bundled ones

--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -116,8 +116,8 @@
 
 static Mutex* mutexes;
 
-const char* const root_certs[] = {
-#include "node_root_certs.h"  // NOLINT(build/include_order)
+const char* root_certs[] = {
+  NULL
 };
 
 X509_STORE* root_cert_store;
@@ -688,25 +688,33 @@
 
 
 static X509_STORE* NewRootCertStore() {
+  X509_STORE* store = X509_STORE_new();
+
   if (!root_certs_vector) {
     root_certs_vector = new std::vector<X509*>;
 
-    for (size_t i = 0; i < arraysize(root_certs); i++) {
-      BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
-      X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
-      BIO_free(bp);
-
-      if (x509 == nullptr) {
-        // Parse errors from the built-in roots are fatal.
-        ABORT();
-        return nullptr;
-      }
+    BIO* bio = BIO_new(BIO_s_file());
+    if (bio == nullptr) {
+      abort();
+      return nullptr;
+    }
+
+    if (BIO_read_filename(bio, "/etc/ssl/certs/ca-certificates.crt") == 1) {
+      STACK_OF(X509_INFO)* certs = PEM_X509_INFO_read_bio(bio, nullptr, nullptr, nullptr);
 
-      root_certs_vector->push_back(x509);
+      for (int i = 0; i < sk_X509_INFO_num(certs); i++) {
+        X509* cert = sk_X509_INFO_value(certs, i)->x509;
+
+        if (cert) {
+          X509_up_ref(cert);
+          root_certs_vector->push_back(cert);
+        }
+      }
+      sk_X509_INFO_pop_free(certs, X509_INFO_free);
     }
+    BIO_free_all(bio);
   }
 
-  X509_STORE* store = X509_STORE_new();
   for (auto& cert : *root_certs_vector) {
     X509_up_ref(cert);
     X509_STORE_add_cert(store, cert);