tls: include OpenSSL CAs in default CA list#64269
Conversation
|
Review requested:
|
When --use-openssl-ca is enabled, TLS clients use OpenSSL's
default certificate locations, but tls.getCACertificates('default')
did not include those certificates.
Expose the enumerable OpenSSL default CA certificates through the
crypto binding and include them in the default CA list returned by
tls.getCACertificates('default').
Also add regression coverage using SSL_CERT_FILE to avoid depending
on the host system CA store.
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
|
@joyeecheung The existing behavior with OpenSSL CAs is that, during TLS connection setup, OpenSSL performs hash-based lookups for certificates. However, that behavior is not synchronized with what tls.getCACertificates('default') returns. Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type. Could you review the code by the way ? I really don't know how to support subject parse which maybe implement a |
There's also NODE_EXTRA_CA_CERTS to consider: // Flags: --use-openssl-ca
tls.getCACertificates('default'); // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert); // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert); // Similar, but no certs from NODE_EXTRA_CA_CERTS |
So are we only allowing this API to accept |
Fixes: #64258