From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Wed, 21 Dec 2016 11:16:38 +0100 Subject: [PATCH] crypto: Use system CAs instead of using bundled ones NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: https://github.com/nodejs/node/issues/3159 PR-URL: https://github.com/nodejs/node/pull/8334 Reviewed-By: Sam Roberts Reviewed-By: James M Snell Reviewed-By: Fedor Indutny Source: http://pkgs.fedoraproject.org/cgit/rpms/nodejs.git/tree/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch --- configure | 7 +++++++ src/node_crypto.cc | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/configure b/configure index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755 --- a/configure +++ b/configure @@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm", parser.add_option('--openssl-fips', action='store', dest='openssl_fips', help='Build OpenSSL using FIPS canister .o file in supplied folder') +parser.add_option('--openssl-use-def-ca-store', + action='store_true', + dest='use_openssl_ca_store', + help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.') + shared_optgroup.add_option('--shared-http-parser', action='store_true', dest='shared_http_parser', help='link to a shared http_parser DLL instead of static linking') @@ -937,10 +942,12 @@ def configure_v8(o): def configure_openssl(o): o['variables']['node_use_openssl'] = b(not options.without_ssl) o['variables']['node_shared_openssl'] = b(options.shared_openssl) o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 + if options.use_openssl_ca_store: + o['defines'] += ['NODE_OPENSSL_CERT_STORE'] if options.openssl_fips: o['variables']['openssl_fips'] = options.openssl_fips fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld')) o['make_fips_settings'] = [ diff --git a/src/node_crypto.cc b/src/node_crypto.cc index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() { root_certs_vector->push_back(x509); } } X509_STORE* store = X509_STORE_new(); +#if defined(NODE_OPENSSL_CERT_STORE) + X509_STORE_set_default_paths(store); +#else for (auto& cert : *root_certs_vector) { X509_up_ref(cert); X509_STORE_add_cert(store, cert); } +#endif return store; } -- 2.12.0