tls: include OpenSSL CAs in default CA list#64269
Conversation
|
Review requested:
|
| * `"default"`: return the CA certificates that will be used by the Node.js TLS clients by default. | ||
| * When [`--use-bundled-ca`][] is enabled (default), or [`--use-openssl-ca`][] is not enabled, | ||
| this would include CA certificates from the bundled Mozilla CA store. | ||
| * When [`--use-openssl-ca`][] is enabled, this would include CA certificates loaded |
There was a problem hiding this comment.
I think we need to document that the certificates queried this way will diverge from what --use-openssl-ca actually uses to verify the certificates: --use-system-ca differs in that it trusts all certificates from the directories without the hash lookup, which is also e.g. what go's client does, but --use-openssl-ca actually filters https://docs.openssl.org/1.1.1/man3/X509_LOOKUP_hash_dir/#hashed-directory-method
I am somewhat skeptical whether this should be implemented without a hash lookup, though. Another workaround is to accept a second parameter that indicates the ceritifcate/subject name we are filtering for. I think we will also need a 'openssl' type that takes this filtering argument.
There was a problem hiding this comment.
It seems that hash lookup semantics are specific to the OpenSSL CA store. Adding an extra argument to this method for that case may blur the existing API semantics, since getCACertificates() currently behaves like an enumeration API. Would a separate API ( like tls.lookupCACertificates )for OpenSSL-style lookup be a cleaner design?
When --use-openssl-ca is enabled, TLS clients use OpenSSL's
default certificate locations, but tls.getCACertificates('default')
did not include those certificates.
Expose the enumerable OpenSSL default CA certificates through the
crypto binding and include them in the default CA list returned by
tls.getCACertificates('default').
Also add regression coverage using SSL_CERT_FILE to avoid depending
on the host system CA store.
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Fixes: #64258