Skip to content

tls: include OpenSSL CAs in default CA list#64269

Open
Archkon wants to merge 3 commits into
nodejs:mainfrom
Archkon:tls
Open

tls: include OpenSSL CAs in default CA list#64269
Archkon wants to merge 3 commits into
nodejs:mainfrom
Archkon:tls

Conversation

@Archkon

@Archkon Archkon commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Fixes: #64258

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings labels Jul 3, 2026
Comment thread src/crypto/crypto_context.cc
Comment thread doc/api/tls.md Outdated
Archkon added 2 commits July 5, 2026 02:30
  When --use-openssl-ca is enabled, TLS clients use OpenSSL's
  default certificate locations, but tls.getCACertificates('default')
  did not include those certificates.

  Expose the enumerable OpenSSL default CA certificates through the
  crypto binding and include them in the default CA list returned by
  tls.getCACertificates('default').

  Also add regression coverage using SSL_CERT_FILE to avoid depending
  on the host system CA store.

Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
@Archkon

Archkon commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

@joyeecheung
I’m not sure whether we should add support for the OpenSSL CA flag when developers pass the default type.

The existing behavior with OpenSSL CAs is that, during TLS connection setup, OpenSSL performs hash-based lookups for certificates. However, that behavior is not synchronized with what tls.getCACertificates('default') returns.

Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type.

Could you review the code by the way ? I really don't know how to support subject parse which maybe implement a
OpenSSL/RFC2253 subject parser ?

@joyeecheung

Copy link
Copy Markdown
Member

Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type.

There's also NODE_EXTRA_CA_CERTS to consider:

// Flags: --use-openssl-ca
tls.getCACertificates('default');   // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert);  // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert);  // Similar, but no certs from NODE_EXTRA_CA_CERTS

@Archkon

Archkon commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type.

There's also NODE_EXTRA_CA_CERTS to consider:

// Flags: --use-openssl-ca
tls.getCACertificates('default');   // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert);  // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert);  // Similar, but no certs from NODE_EXTRA_CA_CERTS

So are we only allowing this API to accept certificates as valid arguments, while dropping support for subject name ? And one more thing, I need calrification about how to deal with developers who call tls.getCACertificates('openssl', cert);without --use-openssl-ca as flag to pass? allow or not?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls.getCACertificates("default") always returns an empty list when using --use-openssl-ca

3 participants