Package: nodejs / 4.8.2~dfsg-1

2014_donotinclude_root_certs.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Description: do not bundle CA certificates, openssl on Debian have them
 As a consequence, nodejs must depend on ca-certificates.
 Since version 4.8, upstream added support for NODE_EXTRA_CA_CERTS env
 var for specifying a root ca bundle file path. However, to minimize
 the impact on nodejs during freeze, i chose to disable it and hard-code
 the value to /etc/ssl/certs/ca-certificates.crt
Forwarded: not-needed
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2017-03-21
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -120,9 +120,7 @@
 
 static Mutex* mutexes;
 
-const char* const root_certs[] = {
-#include "node_root_certs.h"  // NOLINT(build/include_order)
-};
+const char* const root_certs[] = {};
 
 std::string extra_root_certs_file;  // NOLINT(runtime/string)
 
@@ -712,6 +710,7 @@
   if (!root_certs_vector) {
     root_certs_vector = new std::vector<X509*>;
 
+    /*
     for (size_t i = 0; i < arraysize(root_certs); i++) {
       BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
       X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
@@ -722,6 +721,7 @@
 
       root_certs_vector->push_back(x509);
     }
+    */
   }
 
   X509_STORE* store = X509_STORE_new();
--- a/src/node.cc
+++ b/src/node.cc
@@ -4400,8 +4400,7 @@
   Init(&argc, const_cast<const char**>(argv), &exec_argc, &exec_argv);
 
 #if HAVE_OPENSSL
-  if (const char* extra = secure_getenv("NODE_EXTRA_CA_CERTS"))
-    crypto::UseExtraCaCerts(extra);
+  crypto::UseExtraCaCerts("/etc/ssl/certs/ca-certificates.crt");
   // V8 on Windows doesn't have a good source of entropy. Seed it from
   // OpenSSL's pool.
   V8::SetEntropySource(crypto::EntropySource);
--- a/test/parallel/parallel.status
+++ b/test/parallel/parallel.status
@@ -6,6 +6,9 @@
 
 [true] # This section applies to all platforms
 
+test-tls-env-extra-ca : FAIL
+test-tls-env-bad-extra-ca : FAIL
+
 [$system==win32]
 test-tick-processor     : PASS,FLAKY