Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Externalize the CA certificates #7148

Open
nixx opened this Issue · 6 comments

7 participants

@nixx

This is related to #6085, which is now closed.

I do see the arguments for not wanting to use the system certificates, but I would really like to be able to configure additional certificates without having to patch node.

My current setup is behind a firewall intercepting TLS traffic, and node fails when trying to access sites using https.

If the CA certificates where moved to a config file, it would be a lot easier to add the firewall certificate as a trusted CA.

An alternative solution could be to be able to configure a persistent option for allowing non trusted https sites, similar to NPM's strict-ssl option.

@indutny
Owner

Couldn't use just pass ca option to https.request?

@nixx

I could if I had control over all the code.

The problem is third party libraries I don't have control over. One concrete example is a post install script when I use a Yeoman generator. I could of course fix that specific problem, but I'm almost certain that similar problems will occur later.

@rlidwka

My current setup is behind a firewall intercepting TLS traffic, and node fails when trying to access sites using https.

I suggest to configure your firewall so it won't intercept outgoing connections. You're essentially performing a MitM attack, and node.js response to that is adequate.

@nixx

Yes, I do know the firewall performs a MitM attack. However, this is not an uncommon setup at mid size and large companies, and even if I do not like the setup, I do see the rationale behind doing it. Virus scanning is just one example.

I also agree that the default node behavior is adequate, in the same way that Firefox or Chromes behavior when you access sites signed with untrusted CA is adequate.

I don't want to change the behaviour of node, but I would like to have an option of adding trusted CA's after compile, like I'm able to to with both Firefox and Chrome, and not have to patch and recompile Node as I need to do now.

@tjfontaine
Owner

This is a must have, I agree. It's unfortunately not going to make the initial release for v0.12 such that the store would be configurable at runtime. However, we could add some command line flag and/or environment variable to use an alternate certificate store at launch time. Please if you're interested in such a feature consider doing a PR for it.

@TooTallNate
Owner

FWIW, we've employed this hack in production for a while now:

var connect = tls.connect;
tls.connect = function () {
  var arg;
  var options;
  var args = toArray(arguments);

  for (var i = args.length - 1; i >= 0; i--) {
    arg = args[i];
    if ('object' == typeof arg) {
      options = arg;
      break;
    }
  }

  if (options && !options.ca && ca) {
    options.ca = ca;
  }

  return connect.apply(tls, args);
};

Note that the ca array is defined elsewhere in the file, but it's an Array of Buffer instances which are SSL CA certs from the operating system (getting the system's CA store is done via a native process, not node).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.