New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: use system CAs instead of bundled ones #8334

Closed
wants to merge 3 commits into
base: master
from

Conversation

Projects
None yet
@AdamMajer
Contributor

AdamMajer commented Aug 30, 2016

Checklist
  • make -j4 test (UNIX), or vcbuild test nosign (Windows) passes
  • commit message follows commit guidelines
Affected core subsystem(s)

crypto

Description of change

Use system supplied CAs instead of using Node's bundled version.
This is a compile time option with default reverting back to
using bundled certificates.

Also simplify cert_store lifetime by using reference count instead
of pulling it from under the SSL_CTX right before deletion.
(merged)

@addaleax

This comment has been minimized.

Show comment
Hide comment
@addaleax
Member

addaleax commented Aug 30, 2016

@addaleax

This comment has been minimized.

Show comment
Hide comment
@addaleax

addaleax Aug 30, 2016

Member

@AdamMajer Here typically Fixes: and full URIs are used when referencing issues to be closed :)

Here’s a CI run: https://ci.nodejs.org/job/node-test-commit/4835/

Member

addaleax commented Aug 30, 2016

@AdamMajer Here typically Fixes: and full URIs are used when referencing issues to be closed :)

Here’s a CI run: https://ci.nodejs.org/job/node-test-commit/4835/

@AdamMajer

This comment has been minimized.

Show comment
Hide comment
@AdamMajer

AdamMajer Aug 30, 2016

Contributor

@addaleax ah ,yes of couse. I'm completely new to NodeJS code review, but it seems that all commit messages have PR-URL: and Reviewed-By:. so is it correct to assume that once pull requests are reviewed, I amend the commit message with these extra headers (And fix my Fixes: header :)) ?

Contributor

AdamMajer commented Aug 30, 2016

@addaleax ah ,yes of couse. I'm completely new to NodeJS code review, but it seems that all commit messages have PR-URL: and Reviewed-By:. so is it correct to assume that once pull requests are reviewed, I amend the commit message with these extra headers (And fix my Fixes: header :)) ?

@addaleax

This comment has been minimized.

Show comment
Hide comment
@addaleax

addaleax Aug 30, 2016

Member

@AdamMajer Usually, the person who lands the PR adds these review headers (the ones you named), but it’s not like there’s anything stopping you from adding PR-URL: https://github.com/nodejs/node/pull/8334 yourself. :)

Member

addaleax commented Aug 30, 2016

@AdamMajer Usually, the person who lands the PR adds these review headers (the ones you named), but it’s not like there’s anything stopping you from adding PR-URL: https://github.com/nodejs/node/pull/8334 yourself. :)

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Aug 30, 2016

Member

I know that @rvagg had suggested that this is best done as a configure option but I can definitely see value in this as a runtime command-line flag also -- even if left undocumented for the time being.

Member

jasnell commented Aug 30, 2016

I know that @rvagg had suggested that this is best done as a configure option but I can definitely see value in this as a runtime command-line flag also -- even if left undocumented for the time being.

@jasnell jasnell changed the title from Distro crypto to crypto: use system CAs instead of bundled ones Aug 30, 2016

@AdamMajer

This comment has been minimized.

Show comment
Hide comment
@AdamMajer

AdamMajer Aug 30, 2016

Contributor

Having it as runtime option is OK in rare situation, maybe if you need to specify multiple stores? But then can't that be done already with the environmental variables SSL_CERT_DIR and SSL_CERT_FILE? Enable this at compile time, then select various stores with environmental variables overriding OpenSSL defaults. That's how I understand it from quick grep through OpenSSL.

An alternative would be to have compile time option "no-bundled-ca-certs" with runtime override option (no-)use-bundled-ca-certs (or something like that),

  1. look for system CAs as primary (including the environmental variables)
  2. fall back bundled CAs unless runtime/compiletime flag set to not use them.

The idea behind compile time selection is to make like easier for Linux distributions (and their users) where bundled CAs are very bad idea. On Linux we definitely would not want to fallback to bundled CAs. But there are quite a per different permutations on how this can be done.

Contributor

AdamMajer commented Aug 30, 2016

Having it as runtime option is OK in rare situation, maybe if you need to specify multiple stores? But then can't that be done already with the environmental variables SSL_CERT_DIR and SSL_CERT_FILE? Enable this at compile time, then select various stores with environmental variables overriding OpenSSL defaults. That's how I understand it from quick grep through OpenSSL.

An alternative would be to have compile time option "no-bundled-ca-certs" with runtime override option (no-)use-bundled-ca-certs (or something like that),

  1. look for system CAs as primary (including the environmental variables)
  2. fall back bundled CAs unless runtime/compiletime flag set to not use them.

The idea behind compile time selection is to make like easier for Linux distributions (and their users) where bundled CAs are very bad idea. On Linux we definitely would not want to fallback to bundled CAs. But there are quite a per different permutations on how this can be done.

@dougwilson

This comment has been minimized.

Show comment
Hide comment
@dougwilson

dougwilson Aug 30, 2016

Member

Would this make it possible to use the Windows system cert store?

Member

dougwilson commented Aug 30, 2016

Would this make it possible to use the Windows system cert store?

@Fishrock123

This comment has been minimized.

Show comment
Hide comment
@Fishrock123

Fishrock123 Aug 30, 2016

Member

Fixes #3159.

Being able to specify a path to root CAs at may also be useful. I think that would be more suited as a runtime flag?

Member

Fishrock123 commented Aug 30, 2016

Fixes #3159.

Being able to specify a path to root CAs at may also be useful. I think that would be more suited as a runtime flag?

@indutny

View changes

Show outdated Hide outdated configure
@indutny

View changes

Show outdated Hide outdated src/node_crypto.h
@AdamMajer

This comment has been minimized.

Show comment
Hide comment
@AdamMajer

AdamMajer Aug 30, 2016

Contributor

On 08/30/2016 05:15 PM, Douglas Wilson wrote:

Would this make it possible to use the Windows system cert store?

For this better question would be, does OpenSSL support using Windows
cert store? I have no idea.

Contributor

AdamMajer commented Aug 30, 2016

On 08/30/2016 05:15 PM, Douglas Wilson wrote:

Would this make it possible to use the Windows system cert store?

For this better question would be, does OpenSSL support using Windows
cert store? I have no idea.

@indutny

This comment has been minimized.

Show comment
Hide comment
@indutny

indutny Aug 30, 2016

Member

LGTM with a define naming nit, unless @bnoordhuis has some comments.

Member

indutny commented Aug 30, 2016

LGTM with a define naming nit, unless @bnoordhuis has some comments.

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Aug 30, 2016

Member

Having it as runtime option is OK in rare situation, maybe if you need to specify multiple stores?

For one, it would make it easier/possible to test this in CI :-)

Member

jasnell commented Aug 30, 2016

Having it as runtime option is OK in rare situation, maybe if you need to specify multiple stores?

For one, it would make it easier/possible to test this in CI :-)

@dougwilson

This comment has been minimized.

Show comment
Hide comment
@dougwilson

dougwilson Aug 30, 2016

Member

For this better question would be, does OpenSSL support using Windows cert store? I have no idea.

Yea, I have no idea, that's why I was asking :) Your config parameter along with it's description would suggest it does, and that it is not restricted to whatever OpenSSL happens to do. Some Googling suggests that no, OpenSSL cannot use the Windows cert store (but I have no idea how to verify those claims), which seems to make the configure switch misleading(?)

Member

dougwilson commented Aug 30, 2016

For this better question would be, does OpenSSL support using Windows cert store? I have no idea.

Yea, I have no idea, that's why I was asking :) Your config parameter along with it's description would suggest it does, and that it is not restricted to whatever OpenSSL happens to do. Some Googling suggests that no, OpenSSL cannot use the Windows cert store (but I have no idea how to verify those claims), which seems to make the configure switch misleading(?)

@AdamMajer

This comment has been minimized.

Show comment
Hide comment
@AdamMajer

AdamMajer Aug 31, 2016

Contributor

Updated to use suggested define name. Minor change to comment, but otherwise same patch.

The runtime option can be done later. The compile time option still needs to be there for 2 reasons,

  1. to not change current default behavior . maybe in node 7 we can delegate root certs to OS only as it should be possible on windows too, see http://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store but I'm not sure whether this belongs in Node or OpenSSL.
  2. all Linux distros would prefer to manage CAs in one place. Here they need to change current default behavior.

One step at a time .

Contributor

AdamMajer commented Aug 31, 2016

Updated to use suggested define name. Minor change to comment, but otherwise same patch.

The runtime option can be done later. The compile time option still needs to be there for 2 reasons,

  1. to not change current default behavior . maybe in node 7 we can delegate root certs to OS only as it should be possible on windows too, see http://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store but I'm not sure whether this belongs in Node or OpenSSL.
  2. all Linux distros would prefer to manage CAs in one place. Here they need to change current default behavior.

One step at a time .

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Aug 31, 2016

Member

LGTM. It's a shame that we don't have a direct way of testing this in CI since we can't set compile time flags for CI. I would say that this should likely be considered to be unsupported/experimental until it's gone through at least one release and we can see if any issues come up on it.

Member

jasnell commented Aug 31, 2016

LGTM. It's a shame that we don't have a direct way of testing this in CI since we can't set compile time flags for CI. I would say that this should likely be considered to be unsupported/experimental until it's gone through at least one release and we can see if any issues come up on it.

@bnoordhuis

View changes

Show outdated Hide outdated src/node_crypto.cc
@bnoordhuis

View changes

Show outdated Hide outdated src/node_crypto.cc
@AdamMajer

This comment has been minimized.

Show comment
Hide comment
@AdamMajer

AdamMajer Sep 9, 2016

Contributor

so, LGTM? Would be nice to have this in Node 6.6

Contributor

AdamMajer commented Sep 9, 2016

so, LGTM? Would be nice to have this in Node 6.6

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Sep 9, 2016

Member

@bnoordhuis @nodejs/crypto ... does this LGTY?

Member

jasnell commented Sep 9, 2016

@bnoordhuis @nodejs/crypto ... does this LGTY?

@sgallagher

This comment has been minimized.

Show comment
Hide comment
@sgallagher

sgallagher Mar 10, 2017

Contributor

@sam-github Yes, we are on 6.10.0 in Fedora. I backported the patch manually and it's currently carried in our downstream packages. It would be convenient if it was maintained by upstream in 6.x, but not strictly required.

Contributor

sgallagher commented Mar 10, 2017

@sam-github Yes, we are on 6.10.0 in Fedora. I backported the patch manually and it's currently carried in our downstream packages. It would be convenient if it was maintained by upstream in 6.x, but not strictly required.

@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Mar 10, 2017

Member

@sgallagher I suspect (EDIT: "ed") it would be more useful to distros if backported.

Can you PR your backport to node so Adam or I don't have to redo it?

Member

sam-github commented Mar 10, 2017

@sgallagher I suspect (EDIT: "ed") it would be more useful to distros if backported.

Can you PR your backport to node so Adam or I don't have to redo it?

@sgallagher sgallagher referenced this pull request Mar 10, 2017

Closed

crypto: Use system CAs instead of using bundled ones #11794

0 of 4 tasks complete
@sgallagher

This comment has been minimized.

Show comment
Hide comment
@sgallagher

sgallagher Mar 10, 2017

Contributor

@sam-github Sure. It was nearly trivial, but see #11794

Contributor

sgallagher commented Mar 10, 2017

@sam-github Sure. It was nearly trivial, but see #11794

@jirutka

This comment has been minimized.

Show comment
Hide comment
@jirutka

jirutka Mar 11, 2017

In Alpine Linux we are also on 6.10.0 now, I've used the patch from @sgallagher (thanks for it!).

jirutka commented Mar 11, 2017

In Alpine Linux we are also on 6.10.0 now, I've used the patch from @sgallagher (thanks for it!).

@gibfahn gibfahn referenced this pull request Mar 17, 2017

Closed

Potential Semver Minor Backports #188

28 of 31 tasks complete

MylesBorins added a commit that referenced this pull request May 16, 2017

crypto: do not use pointers to std::vector
The pointer to std::vector is unnecessary, so replace it with standard
instance. Also, make the for() loop more readable by using actual type
instead of inferred - there is no readability benefit here from
obfuscating the type.

PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

MylesBorins added a commit that referenced this pull request May 16, 2017

crypto: Use system CAs instead of using bundled ones
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: #3159
PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

MylesBorins added a commit that referenced this pull request May 16, 2017

crypto: ability to select cert store at runtime
PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

MylesBorins added a commit that referenced this pull request May 18, 2017

crypto: do not use pointers to std::vector
The pointer to std::vector is unnecessary, so replace it with standard
instance. Also, make the for() loop more readable by using actual type
instead of inferred - there is no readability benefit here from
obfuscating the type.

PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

MylesBorins added a commit that referenced this pull request May 18, 2017

crypto: Use system CAs instead of using bundled ones
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: #3159
PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

MylesBorins added a commit that referenced this pull request May 18, 2017

crypto: ability to select cert store at runtime
PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

@MylesBorins MylesBorins referenced this pull request May 23, 2017

Merged

v6.11.0 proposal #13059

MylesBorins added a commit that referenced this pull request Jun 6, 2017

2017-06-06, Version 6.11.0 'Boron' (LTS)
This LTS release comes with 126 commits. This includes 40 which
are test related, 32 which are doc related, 12 which are
build / tool related and 4 commits which are updates to
dependencies.

Notable Changes:

* build:
  - support for building mips64el (nanxiongchao)
    #10991
* cluster:
  - disconnect() now returns a reference to the disconnected
    worker. (Sean Villars)
    #10019
* crypto:
  - ability to select cert store at runtime (Adam Majer)
    #8334
  - Use system CAs instead of using bundled ones (Adam Majer)
    #8334
  - The `Decipher` methods `setAuthTag()` and `setAAD` now return
    `this`. (Kirill Fomichev)
    #9398
  - adding support for OPENSSL_CONF again (Sam Roberts)
    #11006
  - make LazyTransform compabile with Streams1 (Matteo Collina)
    #12380
* deps:
  - upgrade libuv to 1.11.0 (cjihrig)
    #11094
  - upgrade libuv to 1.10.2 (cjihrig)
    #10717
  - upgrade libuv to 1.10.1 (cjihrig)
    #9647
  - upgrade libuv to 1.10.0 (cjihrig)
    #9267
* dns:
  - Implemented `{ttl: true}` for `resolve4()` and `resolve6()`
    (Ben Noordhuis)
    #9296
* process:
  - add NODE_NO_WARNINGS environment variable (cjihrig)
    #10842
* readline:
  - add option to stop duplicates in history (Danny Nemer)
    #2982
* src:
  - support "--" after "-e" as end-of-options (John Barboza)
    #10651
* tls:
  - new tls.TLSSocket() supports sec ctx options (Sam Roberts)
    #11005
  - Allow obvious key/passphrase combinations. (Sam Roberts)
    #10294

PR-URL: #13059

MylesBorins added a commit that referenced this pull request Jun 6, 2017

2017-06-06, Version 6.11.0 'Boron' (LTS)
This LTS release comes with 126 commits. This includes 40 which
are test related, 32 which are doc related, 12 which are
build / tool related and 4 commits which are updates to
dependencies.

Notable Changes:

* build:
  - support for building mips64el (nanxiongchao)
    #10991
* cluster:
  - disconnect() now returns a reference to the disconnected
    worker. (Sean Villars)
    #10019
* crypto:
  - ability to select cert store at runtime (Adam Majer)
    #8334
  - Use system CAs instead of using bundled ones (Adam Majer)
    #8334
  - The `Decipher` methods `setAuthTag()` and `setAAD` now return
    `this`. (Kirill Fomichev)
    #9398
  - adding support for OPENSSL_CONF again (Sam Roberts)
    #11006
  - make LazyTransform compabile with Streams1 (Matteo Collina)
    #12380
* deps:
  - upgrade libuv to 1.11.0 (cjihrig)
    #11094
  - upgrade libuv to 1.10.2 (cjihrig)
    #10717
  - upgrade libuv to 1.10.1 (cjihrig)
    #9647
  - upgrade libuv to 1.10.0 (cjihrig)
    #9267
* dns:
  - Implemented `{ttl: true}` for `resolve4()` and `resolve6()`
    (Ben Noordhuis)
    #9296
* process:
  - add NODE_NO_WARNINGS environment variable (cjihrig)
    #10842
* readline:
  - add option to stop duplicates in history (Danny Nemer)
    #2982
* src:
  - support "--" after "-e" as end-of-options (John Barboza)
    #10651
* tls:
  - new tls.TLSSocket() supports sec ctx options (Sam Roberts)
    #11005
  - Allow obvious key/passphrase combinations. (Sam Roberts)
    #10294

PR-URL: #13059

andrew749 added a commit to michielbaird/node that referenced this pull request Jul 19, 2017

crypto: do not use pointers to std::vector
The pointer to std::vector is unnecessary, so replace it with standard
instance. Also, make the for() loop more readable by using actual type
instead of inferred - there is no readability benefit here from
obfuscating the type.

PR-URL: nodejs/node#8334
Backport-PR-URL: nodejs/node#11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

andrew749 added a commit to michielbaird/node that referenced this pull request Jul 19, 2017

crypto: Use system CAs instead of using bundled ones
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs/node#3159
PR-URL: nodejs/node#8334
Backport-PR-URL: nodejs/node#11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

andrew749 added a commit to michielbaird/node that referenced this pull request Jul 19, 2017

crypto: ability to select cert store at runtime
PR-URL: nodejs/node#8334
Backport-PR-URL: nodejs/node#11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

andrew749 added a commit to michielbaird/node that referenced this pull request Jul 19, 2017

2017-06-06, Version 6.11.0 'Boron' (LTS)
This LTS release comes with 126 commits. This includes 40 which
are test related, 32 which are doc related, 12 which are
build / tool related and 4 commits which are updates to
dependencies.

Notable Changes:

* build:
  - support for building mips64el (nanxiongchao)
    nodejs/node#10991
* cluster:
  - disconnect() now returns a reference to the disconnected
    worker. (Sean Villars)
    nodejs/node#10019
* crypto:
  - ability to select cert store at runtime (Adam Majer)
    nodejs/node#8334
  - Use system CAs instead of using bundled ones (Adam Majer)
    nodejs/node#8334
  - The `Decipher` methods `setAuthTag()` and `setAAD` now return
    `this`. (Kirill Fomichev)
    nodejs/node#9398
  - adding support for OPENSSL_CONF again (Sam Roberts)
    nodejs/node#11006
  - make LazyTransform compabile with Streams1 (Matteo Collina)
    nodejs/node#12380
* deps:
  - upgrade libuv to 1.11.0 (cjihrig)
    nodejs/node#11094
  - upgrade libuv to 1.10.2 (cjihrig)
    nodejs/node#10717
  - upgrade libuv to 1.10.1 (cjihrig)
    nodejs/node#9647
  - upgrade libuv to 1.10.0 (cjihrig)
    nodejs/node#9267
* dns:
  - Implemented `{ttl: true}` for `resolve4()` and `resolve6()`
    (Ben Noordhuis)
    nodejs/node#9296
* process:
  - add NODE_NO_WARNINGS environment variable (cjihrig)
    nodejs/node#10842
* readline:
  - add option to stop duplicates in history (Danny Nemer)
    nodejs/node#2982
* src:
  - support "--" after "-e" as end-of-options (John Barboza)
    nodejs/node#10651
* tls:
  - new tls.TLSSocket() supports sec ctx options (Sam Roberts)
    nodejs/node#11005
  - Allow obvious key/passphrase combinations. (Sam Roberts)
    nodejs/node#10294

PR-URL: nodejs/node#13059

@JPvRiel JPvRiel referenced this pull request May 22, 2018

Open

CA File #340

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment