1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
Description: do not bundle CA certificates, openssl on Debian have them
As a consequence, nodejs must depend on ca-certificates.
Since version 4.8, upstream added support for NODE_EXTRA_CA_CERTS env
var for specifying a root ca bundle file path. However, to minimize
the impact on nodejs during freeze, i chose to disable it and hard-code
the value to /etc/ssl/certs/ca-certificates.crt
Forwarded: not-needed
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2017-03-21
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -120,9 +120,7 @@
static Mutex* mutexes;
-const char* const root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
-};
+const char* const root_certs[] = {};
std::string extra_root_certs_file; // NOLINT(runtime/string)
@@ -712,6 +710,7 @@
if (!root_certs_vector) {
root_certs_vector = new std::vector<X509*>;
+ /*
for (size_t i = 0; i < arraysize(root_certs); i++) {
BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
@@ -722,6 +721,7 @@
root_certs_vector->push_back(x509);
}
+ */
}
X509_STORE* store = X509_STORE_new();
--- a/src/node.cc
+++ b/src/node.cc
@@ -4400,8 +4400,7 @@
Init(&argc, const_cast<const char**>(argv), &exec_argc, &exec_argv);
#if HAVE_OPENSSL
- if (const char* extra = secure_getenv("NODE_EXTRA_CA_CERTS"))
- crypto::UseExtraCaCerts(extra);
+ crypto::UseExtraCaCerts("/etc/ssl/certs/ca-certificates.crt");
// V8 on Windows doesn't have a good source of entropy. Seed it from
// OpenSSL's pool.
V8::SetEntropySource(crypto::EntropySource);
--- a/test/parallel/parallel.status
+++ b/test/parallel/parallel.status
@@ -6,6 +6,9 @@
[true] # This section applies to all platforms
+test-tls-env-extra-ca : FAIL
+test-tls-env-bad-extra-ca : FAIL
+
[$system==win32]
test-tick-processor : PASS,FLAKY
|
