crypto: explicitly enable auto cert chaining #22110
Conversation
nodejs-github-bot
added
c++
|
@nodejs/crypto |
|
@nodejs/security-wg |
|
Not objecting, but a couple of questions:
|
The specific behaviour I observed was when setting up a server with a self-signed cert, and providing the root/intermediate certs in the const server = https.createServer({
key: fs.readFileSync(path.join(certPath, 'server.key')),
cert: fs.readFileSync(path.join(certPath, 'server.pem')),
ca: [
fs.readFileSync(path.join(certPath, 'rootCA.pem')),
fs.readFileSync(path.join(certPath, 'intermediateCA.pem'))
],
requestCert: true,
rejectUnauthorized: false
}, ...)With automatic cert chaining, which is enabled by default in OpenSSL, a trust chain will be built for the cert on every handshake (see OpenSSL and BoringSSL, which also caches the chain). If this behaviour is disabled, which is the default in BoringSSL, then the certificate chain will not be automatically built from certs that are available in the CA list. I think changing this behaviour in node—to not build these chains automatically—has the potential to be fairly disruptive, since it changes core APIs (
See boringssl/42, which is closed as WontFix, since wpa_supplicant depends on the auto-chaining feature too. So its removal from BoringSSL seems unlikely. Even if it were removed from BoringSSL, since Node.js doesn't officially support BoringSSL, I imagine there'd be no work for the Node.js team to do at all :)
In Electron, the only other changes we need to get node to compile with BoringSSL are a few #defines. |
|
We most likely won't support BoringSSL officially (which isn't recommended by BoringSSL anyway). Personally, I am okay with merging this with a comment explaining why this line is necessary and maybe also a preprocessor directive to skip this for non-BoringSSL builds. Pinging @nodejs/tsc for opinions. |
|
No opinion on the change, but without at least a comment explaining the line, this risks being removed in a refactor at a later date. |
nornagon
force-pushed
the
enable-auto-chaining
branch
from
e90b790
to
bc35f30
Compare
addaleax
added
the
author ready
|
Landed in 7dae872. |
OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: #22110 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: #22110 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: #22110 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
OpenSSL enables this feature by default, but BoringSSL doesn't, because it's expensive and unnecessary (see boringssl/27 and boringssl/42). This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's.
Electron will be building node.js with BoringSSL in future, and we've floated this patch on our fork (see electron/node#47).
Checklist