Skip to content

tls: include OpenSSL CAs in default CA list#64269

Open
Archkon wants to merge 2 commits into
nodejs:mainfrom
Archkon:tls
Open

tls: include OpenSSL CAs in default CA list#64269
Archkon wants to merge 2 commits into
nodejs:mainfrom
Archkon:tls

Conversation

@Archkon

@Archkon Archkon commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Fixes: #64258

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings labels Jul 3, 2026
Comment thread src/crypto/crypto_context.cc
Comment thread doc/api/tls.md
* `"default"`: return the CA certificates that will be used by the Node.js TLS clients by default.
* When [`--use-bundled-ca`][] is enabled (default), or [`--use-openssl-ca`][] is not enabled,
this would include CA certificates from the bundled Mozilla CA store.
* When [`--use-openssl-ca`][] is enabled, this would include CA certificates loaded

@joyeecheung joyeecheung Jul 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to document that the certificates queried this way will diverge from what --use-openssl-ca actually uses to verify the certificates: --use-system-ca differs in that it trusts all certificates from the directories without the hash lookup, which is also e.g. what go's client does, but --use-openssl-ca actually filters https://docs.openssl.org/1.1.1/man3/X509_LOOKUP_hash_dir/#hashed-directory-method

I am somewhat skeptical whether this should be implemented without a hash lookup, though. Another workaround is to accept a second parameter that indicates the ceritifcate/subject name we are filtering for. I think we will also need a 'openssl' type that takes this filtering argument.

@Archkon Archkon Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that hash lookup semantics are specific to the OpenSSL CA store. Adding an extra argument to this method for that case may blur the existing API semantics, since getCACertificates() currently behaves like an enumeration API. Would a separate API ( like tls.lookupCACertificates )for OpenSSL-style lookup be a cleaner design?

Archkon added 2 commits July 3, 2026 20:39
  When --use-openssl-ca is enabled, TLS clients use OpenSSL's
  default certificate locations, but tls.getCACertificates('default')
  did not include those certificates.

  Expose the enumerable OpenSSL default CA certificates through the
  crypto binding and include them in the default CA list returned by
  tls.getCACertificates('default').

  Also add regression coverage using SSL_CERT_FILE to avoid depending
  on the host system CA store.

Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls.getCACertificates("default") always returns an empty list when using --use-openssl-ca

3 participants