You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.
I would like Node to be able to use my system's CA Certificates instead of the ones built in.
This is because I run software in a controlled environment that manages the CA Certs tightly (we have a group that vets them) and we have our own site-specific CA Certs that Node needs to know about.
All the solutions so far involve turning off strict-ssl either per request or globally (ack!). Or a convoluted bit of code that reads in the CA Certs and parses them and feeds them in as options (which means we have to modify 3rd party software or force load our own code that sets global options before their code runs).
Instead, it would be nice if there was a procedure or mechanism for telling Node to use our certificates. We can provide them in a "cert directory" format (one file per cert) or in a single file format.
Traditionally, with OpenSSL, you'd use something like the environment variables SSL_CERT_FILE or SSL_CERT_DIR for this. I'm not a fan of using environment variables, but it would at least be a good start.
This would solve problems with people not having trusted CA Certs and "working around it" by turning off strict-ssl in various ways (see all the Stack Overflows for example).
Ciao!
The text was updated successfully, but these errors were encountered:
To make this work for both URLs, I need a way to add to https.globalAgent.options.ca instead of replacing it. But https.globalAgent.options.ca seems to be undefined by default, so I assume the real ca is someplace else.
And to make this "easy" for users, I would need a way to tell node to use my ca cert bundle. e.g. on my Mac with Homebrew installed, I would want it to use /usr/local/etc/openssl/osx_cert.pem. Ideally, this would be a compile time option with the ability to override it via environmental variables.
Ciao!
PS: If you're wondering how I got into this its because our hubot can't fetch URLs from internal sites. :-)
We will be adding a mechanism to do this and contributions are welcome, but it doesn't exist yet -- for now either doing it programmatically or at build time is the only solution.
I would like Node to be able to use my system's CA Certificates instead of the ones built in.
This is because I run software in a controlled environment that manages the CA Certs tightly (we have a group that vets them) and we have our own site-specific CA Certs that Node needs to know about.
All the solutions so far involve turning off
strict-ssl
either per request or globally (ack!). Or a convoluted bit of code that reads in the CA Certs and parses them and feeds them in as options (which means we have to modify 3rd party software or force load our own code that sets global options before their code runs).Instead, it would be nice if there was a procedure or mechanism for telling Node to use our certificates. We can provide them in a "cert directory" format (one file per cert) or in a single file format.
Traditionally, with OpenSSL, you'd use something like the environment variables
SSL_CERT_FILE
orSSL_CERT_DIR
for this. I'm not a fan of using environment variables, but it would at least be a good start.This would solve problems with people not having trusted CA Certs and "working around it" by turning off
strict-ssl
in various ways (see all the Stack Overflows for example).Ciao!
The text was updated successfully, but these errors were encountered: