crypto: load system CA certificates off thread

joyeecheung · targos · commit 89fe63551e1a · 2025-08-26T08:01:33.000+02:00
When --use-system-ca is enabled, load the system CA certificates eagerly off the main thread to avoid blocking the main thread when the first TLS connection is made. PR-URL: #59550 Refs: #58990 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -814,6 +814,23 @@ static std::vector<X509*>& GetSystemStoreCACertificates() {
   return system_store_certs;
 }
 
+static void LoadSystemCACertificates(void* data) {
+  GetSystemStoreCACertificates();
+}
+
+static uv_thread_t system_ca_thread;
+static bool system_ca_thread_started = false;
+int LoadSystemCACertificatesOffThread() {
+  // This is only run once during the initialization of the process, so
+  // it is safe to use a static thread here.
+  int r =
+      uv_thread_create(&system_ca_thread, LoadSystemCACertificates, nullptr);
+  if (r == 0) {
+    system_ca_thread_started = true;
+  }
+  return r;
+}
+
 static std::vector<X509*> InitializeExtraCACertificates() {
   std::vector<X509*> extra_certs;
   unsigned long err = LoadCertsFromFile(  // NOLINT(runtime/int)
@@ -925,6 +942,10 @@ void CleanupCachedRootCertificates() {
       X509_free(cert);
     }
   }
+  if (system_ca_thread_started) {
+    uv_thread_join(&system_ca_thread);
+    system_ca_thread_started = false;
+  }
 }
 
 void GetBundledRootCertificates(const FunctionCallbackInfo<Value>& args) {
diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h
@@ -45,6 +45,7 @@ void InitCryptoOnce();
 void InitCrypto(v8::Local<v8::Object> target);
 
 extern void UseExtraCaCerts(std::string_view file);
+extern int LoadSystemCACertificatesOffThread();
 void CleanupCachedRootCertificates();
 
 int PasswordCallback(char* buf, int size, int rwflag, void* u);
diff --git a/src/node.cc b/src/node.cc
@@ -1208,6 +1208,20 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
       return result;
     }
 
+    if (per_process::cli_options->use_system_ca) {
+      // Load the system CA certificates eagerly off the main thread to avoid
+      // blocking the main thread when the first TLS connection is made. We
+      // don't need to wait for the thread to finish with code here, as
+      // GetSystemStoreCACertificates() has a function-local static and any
+      // actual user of it will wait for that to complete initialization.
+      int r = crypto::LoadSystemCACertificatesOffThread();
+      if (r != 0) {
+        FPrintF(
+            stderr,
+            "Warning: Failed to load system CA certificates off thread: %s\n",
+            uv_strerror(r));
+      }
+    }
     // Ensure CSPRNG is properly seeded.
     CHECK(ncrypto::CSPRNG(nullptr, 0));
 
