-
Notifications
You must be signed in to change notification settings - Fork 29.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
crypto: allow adding extra certs to well-known CAs
In closed environments, self-signed or privately signed certificates are commonly used, and rejected by Node.js since their root CAs are not well-known. Allow extending the set of well-known compiled-in CAs via environment, so they can be set as a matter of policy. PR-URL: #9139 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
- Loading branch information
1 parent
213134f
commit fd644f5
Showing
6 changed files
with
150 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
// Setting NODE_EXTRA_CA_CERTS to non-existent file emits a warning | ||
|
||
'use strict'; | ||
const common = require('../common'); | ||
|
||
if (!common.hasCrypto) { | ||
common.skip('missing crypto'); | ||
return; | ||
} | ||
|
||
const assert = require('assert'); | ||
const tls = require('tls'); | ||
const fork = require('child_process').fork; | ||
|
||
if (process.env.CHILD) { | ||
// This will try to load the extra CA certs, and emit a warning when it fails. | ||
return tls.createServer({}); | ||
} | ||
|
||
const env = { | ||
CHILD: 'yes', | ||
NODE_EXTRA_CA_CERTS: common.fixturesDir + '/no-such-file-exists', | ||
}; | ||
|
||
var opts = { | ||
env: env, | ||
silent: true, | ||
}; | ||
var stderr = ''; | ||
|
||
fork(__filename, opts) | ||
.on('exit', common.mustCall(function(status) { | ||
assert.equal(status, 0, 'client did not succeed in connecting'); | ||
})) | ||
.on('close', common.mustCall(function() { | ||
assert(stderr.match(new RegExp( | ||
'Warning: Ignoring extra certs from.*no-such-file-exists' + | ||
'.* load failed:.*No such file or directory' | ||
)), stderr); | ||
})) | ||
.stderr.setEncoding('utf8').on('data', function(str) { | ||
stderr += str; | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation | ||
|
||
'use strict'; | ||
const common = require('../common'); | ||
|
||
if (!common.hasCrypto) { | ||
common.skip('missing crypto'); | ||
return; | ||
} | ||
|
||
const assert = require('assert'); | ||
const tls = require('tls'); | ||
const fork = require('child_process').fork; | ||
const fs = require('fs'); | ||
|
||
if (process.env.CHILD) { | ||
const copts = { | ||
port: process.env.PORT, | ||
checkServerIdentity: function() {}, | ||
}; | ||
const client = tls.connect(copts, function() { | ||
client.end('hi'); | ||
}); | ||
return; | ||
} | ||
|
||
const options = { | ||
key: fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'), | ||
cert: fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'), | ||
}; | ||
|
||
const server = tls.createServer(options, function(s) { | ||
s.end('bye'); | ||
server.close(); | ||
}).listen(0, common.mustCall(function() { | ||
const env = { | ||
CHILD: 'yes', | ||
PORT: this.address().port, | ||
NODE_EXTRA_CA_CERTS: common.fixturesDir + '/keys/ca1-cert.pem', | ||
}; | ||
|
||
fork(__filename, {env: env}).on('exit', common.mustCall(function(status) { | ||
assert.equal(status, 0, 'client did not succeed in connecting'); | ||
})); | ||
})); |