Skip to content

Commit

Permalink
src: check node_extra_ca_certs after openssl cfg
Browse files Browse the repository at this point in the history
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: nodejs#48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
  • Loading branch information
ckcr4lyf authored and Ceres6 committed Aug 14, 2023
1 parent 2c388cf commit d2d9d10
Showing 1 changed file with 6 additions and 5 deletions.
11 changes: 6 additions & 5 deletions src/node.cc
Original file line number Diff line number Diff line change
Expand Up @@ -961,11 +961,6 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
return ret;
};

{
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
// In the case of FIPS builds we should make sure
// the random source is properly initialized first.
#if OPENSSL_VERSION_MAJOR >= 3
Expand Down Expand Up @@ -1052,6 +1047,12 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
CHECK(crypto::CSPRNG(buffer, length).is_ok());
return true;
});

{
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
#endif // HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
}

Expand Down

0 comments on commit d2d9d10

Please sign in to comment.