Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

please provide a way to use system-installed root certificates instead of bundled ones #3159

Closed
kapouer opened this issue Oct 2, 2015 · 25 comments
Labels
feature request Issues that request new features to be added to Node.js. security Issues and PRs related to security. tls Issues and PRs related to the tls subsystem.

Comments

@kapouer
Copy link
Contributor

kapouer commented Oct 2, 2015

This is related to #1256.

In debian and derivatives, and probably other distributions too,
certificates are managed and configured system-wide.
For example /etc/ssl/certs/ca-certificates.crt which is also user-configurable.
It is so expected and useful that it'd be nice to add a configure switch to nodejs
so that it bundles a custom file, or even better, a runtime switch.
Currently i have a patch on nodejs partially doing that,
and i kept it beside me until someone complained it wasn't in the original release.

@mscdex mscdex added tls Issues and PRs related to the tls subsystem. feature request Issues that request new features to be added to Node.js. labels Oct 2, 2015
@rvagg
Copy link
Member

rvagg commented Oct 3, 2015

probably a feature for --configure

/cc @nodejs/crypto @nodejs/build

@osher
Copy link
Contributor

osher commented Feb 8, 2016

+1

We need this feature too - I'm working with a corporate that uses RapidSSL - which is not in the bundled certs list (As far as I can see).
On top of that - there just might be self-signed or self verifying authorities that inner networks might need to trust.

Thanks
:)

@jbergstroem
Copy link
Member

I like this as well. Can you file a PR?

@brianary
Copy link

+1

This is also needed for decrypting corporate firewalls that use self-signed certificates which have been placed into OS cert stores by IT automation.

@AdamMajer
Copy link
Contributor

PR: #8334 should fix this issue.

@fujifish
Copy link

https://github.com/capriza/syswide-cas provides a temporary workaround by loading certs from system wide directories and automatically using them in conjunction with the bundled root CAs

@ChALkeR ChALkeR added the security Issues and PRs related to security. label Nov 3, 2016
AdamMajer added a commit to AdamMajer/node that referenced this issue Dec 21, 2016
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs#3159
PR-URL: nodejs#8334
italoacasas pushed a commit to italoacasas/node that referenced this issue Jan 25, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs#3159
PR-URL: nodejs#8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
italoacasas pushed a commit to italoacasas/node that referenced this issue Jan 27, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs#3159
PR-URL: nodejs#8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
italoacasas pushed a commit to italoacasas/node that referenced this issue Jan 30, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs#3159
PR-URL: nodejs#8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
italoacasas pushed a commit to italoacasas/node that referenced this issue Jan 30, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs#3159
PR-URL: nodejs#8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
MylesBorins pushed a commit that referenced this issue May 16, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: #3159
PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
MylesBorins pushed a commit that referenced this issue May 18, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: #3159
PR-URL: #8334
Backport-PR-URL: #11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
andrew749 pushed a commit to michielbaird/node that referenced this issue Jul 19, 2017
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs/node#3159
PR-URL: nodejs/node#8334
Backport-PR-URL: nodejs/node#11794
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
@FranklinYu
Copy link

This is only solved for OpenSSL. In Windows, the system trust store is managed by CertMgr. In macOS it’s Keychain. Both should also be supported.

Please re-open this issue.

@sam-github
Copy link
Contributor

Node.js only supports OpenSSL, this feature requested by @kapouer was implemented.

You can open another feature request if you'd like. Be aware that a node feature request, either open or closed, doesn't imply that anyone is going to volunteer to implement it.

Since doing this would require a new OpenSSL cert store, I recommend opening an issue against OpenSSL, or asking on their mailing list. Maybe there is a solution already, or they can point you to previous discussions. I'd be very surprised if this hadn't been requested of them before.

@FranklinYu
Copy link

Node.js only supports OpenSSL

How did this work in Windows? AFAIK Windows doesn’t support OpenSSL officially.

@sam-github
Copy link
Contributor

Node.js includes a copy of OpenSSL, it doesn't need to be supported by Windows.

@beejei
Copy link

beejei commented Jun 10, 2020

To access the system certificate inside of Windows/MacOS, need additional implementation.
It can't be done with OpenSSL.
From my point of view, this issue is partially solved.

In my case, this issue is quite important since big companies restrict access to internal services with an unexportable self-signed certificate(which is located in system keystore) for security concerns.

@thebigredgeek
Copy link

Is this really still an issue?

@beejei
Copy link

beejei commented Jul 15, 2020

@thebigredgeek Yes, in an enterprise environment, the security team strictly prohibits the export of SSO client certificate(which is in system Keystore). And internal services also do not provide any technical account nor token.
If node.js can internally access the SSO client certificate, we could integrate everything base on them. Electron-based app also gets this benefit. We can create desktop-app for the enterprise environment.

@sberney
Copy link

sberney commented Aug 10, 2020

If this was completed, how do I use system-installed root certificates instead of bundled ones? It seems like there are tools to explicitly add my certificates to nodejs, but I can't find any documentation about how to get it to forget about its own certificate store, and only use my system store (particularly, without providing any paths).

@bnoordhuis
Copy link
Member

and only use my system store (particularly, without providing any paths)

If you expect node to magically know where your system's certificate store can be found, it doesn't, bad expectation, but you can point it in the right direction with the --use-openssl-ca <dir> or --openssl-config <file> options (the SSL_CERT_DIR and OPENSSL_CONF environment variables, respectively.)

@brianary
Copy link

If you expect node to magically know where your system's certificate store can be found, it doesn't, bad expectation,

No, that's the whole point of Windows keeping certs in a well-known system-managed store in the registry. Native Windows apps look for certs by specifying a StoreLocation (CurrentUser or LocalMachine) and a StoreName (a purpose category), then certs can be enumerated or searched. An individual cert can be located by matching a value to any field (using X509FindType, often FindBySubjectName or FindByThumbprint) and optionally filtering to currently valid certs.

Exporting certificates to the filesystem and keeping it in sync isn't really idiomatic to the platform. It's a lowest-common-denominator approach to cross-platform support.

@brianary
Copy link

For the purposes of this issue, node would load the certs from the AuthRoot store in both the CurrentUser and LocalMachine locations to populate its CA list.

@bnoordhuis
Copy link
Member

bnoordhuis commented Aug 11, 2020

As you can probably tell from the --use-openssl-ca switch, node farms out certificate management to openssl and openssl doesn't support what you're asking for.

You could file a feature request with the openssl project but check its mailing list, it's a topic that's come up many times before and there are Reasons why things are the way they are.

@brianary
Copy link

Without that context, I can't really address any of that history. It seems like using more than exclusively openssl could be an option. 🤷‍♂️ It's a topic for another forum, I guess.

But there is also a Reason you'll continue to get this request.

@sberney
Copy link

sberney commented Aug 12, 2020

I agree with @brianary -- not providing paths is indeed the entire point. I maintain the list of my certificates once and only once in a central location, and the applications I use know to look, without any configuration, for the system certificates that come pre-installed on every operating system. Sure, different operating systems put them in different places. But Windows and Linux aren't the same and always require different treatment. Sure, different distros of linux could put their root certificate stores in different places, but they don't vary very much. The location of the certificates on MacOS is predictable. It's predictable.

If I have to type in a filesystem path to run my interpreted program, there is a code-smell. My program won't work cross-platform, and it will be a giant pain for others to set up (and result in me fielding endless support questions about how to get their certificates installed correctly). It won't work in more strict corporate environments. It won't work in situations where certificates are managed by a 3rd party security division.

As you say, decisions in the internal implementation of node have made it easier for you to not solve this problem, and allow people to find workarounds. But this isn't solved, and it's not magic. Other programs like wget and .NET Core seem to have this down without issue.

@beejei
Copy link

beejei commented Aug 12, 2020

From my perspective, it is simple.
If you'd like to make Node runtime behaves just like a usual browser (chromium, puppeteer, ...) and let users expect as same behavior as browsers, this is considerable. (also my preference)
If you would like Node behaves differently and depend more on bundled cert, yes it's not an issue.

Just FYI, from some point of time, Firefox also started to refer system certificates optionally. I think this change makes a lot of sense.

@bnoordhuis
Copy link
Member

If you want a way forward: open a pull request implementing it for the Big Three (Linux, macOS, Windows) and see how it's received.

Technologies:

  • Windows -> CryptoAPI
  • macOS -> Security.framework
  • Linux -> read /etc/ssl/certs? (My Linux desktop has two cert stores. Which one do you pick? Why?)

@AdamMajer
Copy link
Contributor

The original patch was to use system CA by a system installed OpenSSL. From OpenSSL,

https://mta.openssl.org/pipermail/openssl-users/2018-September/008691.html

OpenSSL does not use any certificate store, on any platform, it is up to the applications to do what they need.

OpenSSL does use $OPENSSLDIR/cert.pem
and $OPENSSL/certs/ as the default CAfile and CApath respectively
via the:

SSL_CTX_set_default_verify_paths()

On Linux systems, the system CA store/OpenSSL maintainer(s) would be alter these paths and install other certificates into these stores (or compatible ones). I know that we have to manage various databases of these things for different software, like Firefox or libnss.

https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store

So for Windows, if you would like Node to use the cert store from Windows, I think it's up to you to provide the code required. Just like it was up to someone to provide the code required to use non-bundled CA list on Linux. I don't think anyone else will start working on this unless there is interest. And for last few years, not much interest.

You have the source code. Add the needed functionality (yourself or hire someone to do this for you). Make a Pull Request. Fix things that need to be fixed to get it accepted into Node proper. This is the power of open source - you have the power to change and improve the program incrementally for the "killer" features you must have.

@sberney
Copy link

sberney commented Aug 18, 2020

You're right about open source; I wish my job was set up for me to do this type of thing. Anybody else want to take a crack at it? 😋

@marxangels
Copy link

NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt node -e 'require("request")("https://local.host", console.log)'

abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this issue May 5, 2024
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: nodejs/node#3159
PR-URL: nodejs/node#8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request Issues that request new features to be added to Node.js. security Issues and PRs related to security. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

No branches or pull requests