-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: add openssl-system-ca-path configure option #16790
Conversation
cc @nodejs/crypto |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM modulo comments.
I'm not thrilled by yet another way to override the CA store but that in itself is not a reason to reject it.
I had similar misgivings about the original override because I knew it would only be a matter of time before people would request alternatives - and when you say yes to one, you cannot reasonably say no to the next one.
configure
Outdated
@@ -1013,6 +1019,9 @@ def configure_openssl(o): | |||
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 | |||
if options.use_openssl_ca_store: | |||
o['defines'] += ['NODE_OPENSSL_CERT_STORE'] | |||
if options.openssl_system_ca_path: | |||
o['defines'] += ['NODE_OPENSSL_SYSTEM_CERT_PATH ' | |||
+ str(options.openssl_system_ca_path)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NODE_OPENSSL_SYSTEM_CERT_PATH=...
instead of NODE_OPENSSL_SYSTEM_CERT_PATH ...
?
Operator should go on the first line.
Isn't options.openssl_system_ca_path
already a string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry it is, this was a left over from when I use the append action instead of store. I'll fix this.
src/node_crypto.cc
Outdated
NODE_STRINGIFY(NODE_OPENSSL_SYSTEM_CERT_PATH); | ||
#else | ||
nullptr; | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
static const char system_cert_path[] = ...;
(""
when undefined) and I'd prefer defining it in both arms, easier to read.
NODE_STRINGIFY()
isn't necessary, or is it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll define the in both cases and use "" when undefined.
I do think the NODE_STRINGIFY call is needed to get the value (the path) but if there are better ways of doing this please let me know. Thanks
src/node_crypto.cc
Outdated
@@ -792,6 +799,9 @@ static X509_STORE* NewRootCertStore() { | |||
} | |||
|
|||
X509_STORE* store = X509_STORE_new(); | |||
if (system_cert_path != nullptr) { | |||
X509_STORE_load_locations(store, system_cert_path, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nullptr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll fix this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once @bnoordhuis' comments are addressed...
I can understand this and just wanted to say that I appreciate this getting in as it does make things easier for us. Until now patches were applied to do this and maintaining them is something I'd rather avoid. |
configure
Outdated
@@ -1013,6 +1019,9 @@ def configure_openssl(o): | |||
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 | |||
if options.use_openssl_ca_store: | |||
o['defines'] += ['NODE_OPENSSL_CERT_STORE'] | |||
if options.openssl_system_ca_path: | |||
o['defines'] += ['NODE_OPENSSL_SYSTEM_CERT_PATH=' | |||
+ options.openssl_system_ca_path] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Operator on first line. :-)
I think you need the NODE_STRINGIFY macro because you pass a plain string but it should work without it if you wrap the string in quotes:
o['defines'] += ['NODE_OPENSSL_SYSTEM_CERT_PATH="{}"'.format(options.openssl_system_ca_path)]
If you set it unconditionally, you don't need the #if defined(...)
in node_crypto.cc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the suggestion and it works perfectly with for node_crypto.cc. I do run into an issue with test-process-config.js
though:
$ out/Release/node test/parallel/test-process-config.js
undefined:3
"defines": [ "NODE_OPENSSL_SYSTEM_CERT_PATH="/Users/danielbevenius/work/bucharest-gold/node-rpm/rpms/ca-bundle.crt""],
^
SyntaxError: Unexpected token / in JSON at position 164
at JSON.parse (<anonymous>)
at Object.<anonymous> (/Users/danielbevenius/work/nodejs/node/test/parallel/test-process-config.js:49:15)
at Module._compile (module.js:641:30)
at Object.Module._extensions..js (module.js:652:10)
at Module.load (module.js:560:32)
at tryModuleLoad (module.js:503:12)
at Function.Module._load (module.js:495:3)
at Function.Module.runMain (module.js:682:10)
at startup (bootstrap_node.js:191:16)
at bootstrap_node.js:613:3
I've tried all possible escaping combinations that I can think of in configure but they all seem to break the C++ code.
I'll dig a little further but in the meantime I'll update with the operator on the correct line and also unconditionally set NODE_OPENSSL_SYSTEM_CERT_PATH
and remove the #if defined
in node_crypto.cc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's just a bug in the test. It pretends that config.gyp is JSON (and tries to parse it as such) when it's not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh great, I'll see if I can come up with a fix for it. Thanks again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've not found a good way of working/fixing the test. What I've suggested in f8980cd is to skip the test if it cannot be parsed into valid JSON. Is this acceptable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this work?
diff --git a/test/parallel/test-process-config.js b/test/parallel/test-process-config.js
index 05616480e0..05f4ca915a 100644
--- a/test/parallel/test-process-config.js
+++ b/test/parallel/test-process-config.js
@@ -45,7 +45,9 @@ if (!fs.existsSync(configPath)) {
let config = fs.readFileSync(configPath, 'utf8');
// Clean up comment at the first line.
-config = config.split('\n').slice(1).join('\n').replace(/'/g, '"');
+config = config.split('\n').slice(1).join('\n');
+config = config.replace(/"/g, '\\"');
+config = config.replace(/'/g, '"');
config = JSON.parse(config, function(key, value) {
if (value === 'true') return true;
if (value === 'false') return false;
Aside: looking at this again, I realize this sets the define build-wide, not just for files in src/.
NODE_OPENSSL_CERT_STORE
does that too so it's okay for now but it's something we should fix sometime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, that worked like a charm.
Aside: looking at this again, I realize this sets the define build-wide, not just for files in src/.
Could you tell me or point me to an example of how I can limit them to only files in src?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find a proper example but the basic idea is that you restrict the define to a specific target:
diff --git a/node.gyp b/node.gyp
index 1c3e291471..6ca77a0c19 100644
--- a/node.gyp
+++ b/node.gyp
@@ -304,6 +304,14 @@
# Warn when using deprecated V8 APIs.
'V8_DEPRECATION_WARNINGS=1',
],
+
+ 'conditions': [
+ [ 'openssl_system_ca_path!=""', {
+ 'defines': [
+ 'NODE_OPENSSL_SYSTEM_CERT_PATH="<(openssl_system_ca_path)"',
+ ],
+ }],
+ ],
},
{
'target_name': 'mkssldef',
You can't see it but that's the 'target_name': '<(node_core_target_name)'
target.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I see, great. Thanks!
I've updated inspired by your patch above. One thing I've done is introduced a variable to the above target and setting it to an empty string if not set so that we always set NODE_OPENSSL_SYSTEM_CERT_PATH
. Let me know what you think?
src/node_crypto.cc
Outdated
@@ -792,6 +799,9 @@ static X509_STORE* NewRootCertStore() { | |||
} | |||
|
|||
X509_STORE* store = X509_STORE_new(); | |||
if (strlen(system_cert_path) != 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not wrong but I'd write this as if (*system_cert_path != '\0') {
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll change this. Thanks
], | ||
|
||
'direct_dependent_settings': { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section should really not be required but is because the moment as src/node_crypto.cc is included in the sources for the cctest target (though not explicitly but through node.gypi). I'm working on a PR for this so that no sources other than the ones listed in cctest are compiled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM.
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used.
Rebased and squashed CI: https://ci.nodejs.org/job/node-test-pull-request/11319/ |
configure
Outdated
@@ -172,6 +172,12 @@ parser.add_option('--openssl-use-def-ca-store', | |||
dest='use_openssl_ca_store', | |||
help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.') | |||
|
|||
parser.add_option('--openssl-system-ca-path', | |||
action="store", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you use action='store'
(single quotes) here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problems, I'll update that. Thanks
Landed in cad1d1f |
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. PR-URL: nodejs#16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. PR-URL: #16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This lands cleanly on both v6.x and v8.x but I'd like to see it in a release a bit longer before backporting Is there a reason this landed as semver-patch rather than semver-minor? edit: also if there is no reason to hold off before LTS please lmk |
I forgot to consider the semver of this before landing I'm afraid, and this should have been marked semver-minor I think. |
@danbev we'd like to land this on v6.x and 8.x but it is no longer landing cleanly can you please backport |
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. PR-URL: nodejs#16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. Backport-PR-URL: #18173 PR-URL: #16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. Backport-PR-URL: #18173 PR-URL: #16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This LTS release comes with 109 commits, 17 of which are considered Semver-Minor. This includes 32 which are doc related, 29 which are test related, 8 which are build / tool related and 1 commit which updates a dependency. Notable Changes: * console: - added console.count() and console.clear() (James M Snell) #12678 * crypto: - expose ECDH class (Bryan English) #8188 - added cypto.randomFill() and crypto.randomFillSync() (Evan Lucas) #10209 - warn on invalid authentication tag length (Tobias Nießen) #17566 * deps: - upgrade libuv to 1.16.1 (cjihrig) #16835 * dgram: - added socket.setMulticastInterface() (Will Young) #7855 * http: - add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of `Agent` (Fedor Indutny) #13005 * lib: - return this from net.Socket.end() (Sam Roberts) #13481 * module: - add builtinModules api that provides list of all builtin modules in Node (Jon Moss) #16386 * net: - return this from getConnections() (Sam Roberts) #13553 * promises: - more robust stringification for unhandled rejections (Timothy Gu) #13784 * repl: - improve require() autocompletion (Alexey Orlenko) #14409 * src: - add openssl-system-ca-path configure option (Daniel Bevenius) #16790 - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) #12087 - add process.ppid (cjihrig) #16839 * tls: - accept `lookup` option for `tls.connect()` (Fedor Indutny) #12839 * tools, build: - a new macOS installer! (JP Wesselink) #15179 * url: - WHATWG URL api support (James M Snell) #7448 * util: - add %i and %f formatting specifiers (Roman Reiss) #10308 PR-URL: #18342
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. Backport-PR-URL: #18173 PR-URL: #16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This LTS release comes with 109 commits, 17 of which are considered Semver-Minor. This includes 32 which are doc related, 29 which are test related, 8 which are build / tool related and 1 commit which updates a dependency. Notable Changes: * console: - added console.count() and console.clear() (James M Snell) #12678 * crypto: - expose ECDH class (Bryan English) #8188 - added cypto.randomFill() and crypto.randomFillSync() (Evan Lucas) #10209 - warn on invalid authentication tag length (Tobias Nießen) #17566 * deps: - upgrade libuv to 1.16.1 (cjihrig) #16835 * dgram: - added socket.setMulticastInterface() (Will Young) #7855 * http: - add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of `Agent` (Fedor Indutny) #13005 * lib: - return this from net.Socket.end() (Sam Roberts) #13481 * module: - add builtinModules api that provides list of all builtin modules in Node (Jon Moss) #16386 * net: - return this from getConnections() (Sam Roberts) #13553 * promises: - more robust stringification for unhandled rejections (Timothy Gu) #13784 * repl: - improve require() autocompletion (Alexey Orlenko) #14409 * src: - add openssl-system-ca-path configure option (Daniel Bevenius) #16790 - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) #12087 - add process.ppid (cjihrig) #16839 * tls: - accept `lookup` option for `tls.connect()` (Fedor Indutny) #12839 * tools, build: - a new macOS installer! (JP Wesselink) #15179 * url: - WHATWG URL api support (James M Snell) #7448 * util: - add %i and %f formatting specifiers (Roman Reiss) #10308 PR-URL: #18342
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. Backport-PR-URL: #18173 PR-URL: #16790 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This LTS release comes with 109 commits, 17 of which are considered Semver-Minor. This includes 32 which are doc related, 29 which are test related, 8 which are build / tool related and 1 commit which updates a dependency. Notable Changes: * console: - added console.count() and console.clear() (James M Snell) #12678 * crypto: - expose ECDH class (Bryan English) #8188 - added cypto.randomFill() and crypto.randomFillSync() (Evan Lucas) #10209 - warn on invalid authentication tag length (Tobias Nießen) #17566 * deps: - upgrade libuv to 1.16.1 (cjihrig) #16835 * dgram: - added socket.setMulticastInterface() (Will Young) #7855 * http: - add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of `Agent` (Fedor Indutny) #13005 * lib: - return this from net.Socket.end() (Sam Roberts) #13481 * module: - add builtinModules api that provides list of all builtin modules in Node (Jon Moss) #16386 * net: - return this from getConnections() (Sam Roberts) #13553 * promises: - more robust stringification for unhandled rejections (Timothy Gu) #13784 * repl: - improve require() autocompletion (Alexey Orlenko) #14409 * src: - add openssl-system-ca-path configure option (Daniel Bevenius) #16790 - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) #12087 - add process.ppid (cjihrig) #16839 * tls: - accept `lookup` option for `tls.connect()` (Fedor Indutny) #12839 * tools, build: - a new macOS installer! (JP Wesselink) #15179 * url: - WHATWG URL api support (James M Snell) #7448 * util: - add %i and %f formatting specifiers (Roman Reiss) #10308 PR-URL: #18342
This LTS release comes with 112 commits, 17 of which are considered Semver-Minor. This includes 32 which are doc related, 30 which are test related, 8 which are build / tool related and 1 commit which updates a dependency. Notable Changes: * console: - added console.count() and console.clear() (James M Snell) #12678 * crypto: - expose ECDH class (Bryan English) #8188 - added cypto.randomFill() and crypto.randomFillSync() (Evan Lucas) #10209 - warn on invalid authentication tag length (Tobias Nießen) #17566 * deps: - upgrade libuv to 1.16.1 (cjihrig) #16835 * dgram: - added socket.setMulticastInterface() (Will Young) #7855 * http: - add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of `Agent` (Fedor Indutny) #13005 * lib: - return this from net.Socket.end() (Sam Roberts) #13481 * module: - add builtinModules api that provides list of all builtin modules in Node (Jon Moss) #16386 * net: - return this from getConnections() (Sam Roberts) #13553 * promises: - more robust stringification for unhandled rejections (Timothy Gu) #13784 * repl: - improve require() autocompletion (Alexey Orlenko) #14409 * src: - add openssl-system-ca-path configure option (Daniel Bevenius) #16790 - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) #12087 - add process.ppid (cjihrig) #16839 * tls: - accept `lookup` option for `tls.connect()` (Fedor Indutny) #12839 * tools, build: - a new macOS installer! (JP Wesselink) #15179 * url: - WHATWG URL api support (James M Snell) #7448 * util: - add %i and %f formatting specifiers (Roman Reiss) #10308 PR-URL: #18342
This LTS release comes with 112 commits, 17 of which are considered Semver-Minor. This includes 32 which are doc related, 30 which are test related, 8 which are build / tool related and 1 commit which updates a dependency. Notable Changes: * console: - added console.count() and console.clear() (James M Snell) #12678 * crypto: - expose ECDH class (Bryan English) #8188 - added cypto.randomFill() and crypto.randomFillSync() (Evan Lucas) #10209 - warn on invalid authentication tag length (Tobias Nießen) #17566 * deps: - upgrade libuv to 1.16.1 (cjihrig) #16835 * dgram: - added socket.setMulticastInterface() (Will Young) #7855 * http: - add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of `Agent` (Fedor Indutny) #13005 * lib: - return this from net.Socket.end() (Sam Roberts) #13481 * module: - add builtinModules api that provides list of all builtin modules in Node (Jon Moss) #16386 * net: - return this from getConnections() (Sam Roberts) #13553 * promises: - more robust stringification for unhandled rejections (Timothy Gu) #13784 * repl: - improve require() autocompletion (Alexey Orlenko) #14409 * src: - add openssl-system-ca-path configure option (Daniel Bevenius) #16790 - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) #12087 - add process.ppid (cjihrig) #16839 * tls: - accept `lookup` option for `tls.connect()` (Fedor Indutny) #12839 * tools, build: - a new macOS installer! (JP Wesselink) #15179 * url: - WHATWG URL api support (James M Snell) #7448 * util: - add %i and %f formatting specifiers (Roman Reiss) #10308 PR-URL: #18342
The motivation for this commit is that we need to specify system CA certificates when building node. While we are aware of the environment variable NODE_EXTRA_CA_CERTS this is not a great solution as we build an RPM and we also don't want users to be able to unset them. The suggestion is to add a configure time property like this: --openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH Use the specified path to system CA (PEM format) in addition to the OpenSSL supplied CA store or compiled- in Mozilla CA copy. Usage example: $ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt This would add the specified CA certificates in addition to the ones already being used. PR-URL: #16790 Backport-PR-URL: #18174 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This LTS release comes with 112 commits, 17 of which are considered Semver-Minor. This includes 32 which are doc related, 30 which are test related, 8 which are build / tool related and 1 commit which updates a dependency. Notable Changes: * console: - added console.count() and console.clear() (James M Snell) nodejs#12678 * crypto: - expose ECDH class (Bryan English) nodejs#8188 - added cypto.randomFill() and crypto.randomFillSync() (Evan Lucas) nodejs#10209 - warn on invalid authentication tag length (Tobias Nießen) nodejs#17566 * deps: - upgrade libuv to 1.16.1 (cjihrig) nodejs#16835 * dgram: - added socket.setMulticastInterface() (Will Young) nodejs#7855 * http: - add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of `Agent` (Fedor Indutny) nodejs#13005 * lib: - return this from net.Socket.end() (Sam Roberts) nodejs#13481 * module: - add builtinModules api that provides list of all builtin modules in Node (Jon Moss) nodejs#16386 * net: - return this from getConnections() (Sam Roberts) nodejs#13553 * promises: - more robust stringification for unhandled rejections (Timothy Gu) nodejs#13784 * repl: - improve require() autocompletion (Alexey Orlenko) nodejs#14409 * src: - add openssl-system-ca-path configure option (Daniel Bevenius) nodejs#16790 - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) nodejs#12087 - add process.ppid (cjihrig) nodejs#16839 * tls: - accept `lookup` option for `tls.connect()` (Fedor Indutny) nodejs#12839 * tools, build: - a new macOS installer! (JP Wesselink) nodejs#15179 * url: - WHATWG URL api support (James M Snell) nodejs#7448 * util: - add %i and %f formatting specifiers (Roman Reiss) nodejs#10308 PR-URL: nodejs#18342
The motivation for this commit is that we need to specify system CA
certificates when building node. While we are aware of the environment
variable
NODE_EXTRA_CA_CERTS
this is not a great solution as we buildan RPM and we also don't want users to be able to unset them.
The suggestion is to add a configure time property like this:
Usage example:
$ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt
This would add the specified CA certificates in addition to the ones
already being used.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
src, build