Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v16.x] src,doc,test: add --openssl-shared-config option #43892

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -749,6 +749,21 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.

### `--openssl-shared-config`

<!-- YAML
added: REPLACEME
-->

Enable OpenSSL default configuration section, `openssl_conf` to be read from
the OpenSSL configuration file. The default configuration file is named
`openssl.cnf` but this can be changed using the environment variable
`OPENSSL_CONF`, or by using the command line option `--openssl-config`.
The location of the default OpenSSL configuration file depends on how OpenSSL
is being linked to Node.js. Sharing the OpenSSL configuration may have unwanted
implications and it is recommended to use a configuration section specific to
Node.js which is `nodejs_conf` and is default when this option is not used.

### `--openssl-legacy-provider`

<!-- YAML
Expand Down Expand Up @@ -1620,6 +1635,7 @@ Node.js options that are allowed are:
* `--node-memory-debug`
* `--openssl-config`
* `--openssl-legacy-provider`
* `--openssl-shared-config`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
Expand Down
6 changes: 6 additions & 0 deletions src/node.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1096,6 +1096,12 @@ InitializationResult InitializeOncePerProcess(
// instead only the section that matches the value of conf_section_name
// will be read from the default configuration file.
const char* conf_file = nullptr;
// To allow for using the previous default where the 'openssl_conf' appname
// was used, the command line option 'openssl-shared-config' can be used to
// force the old behavior.
if (per_process::cli_options->openssl_shared_config) {
conf_section_name = "openssl_conf";
}
// Use OPENSSL_CONF environment variable is set.
std::string env_openssl_conf;
credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);
Expand Down
5 changes: 4 additions & 1 deletion src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -824,13 +824,16 @@ PerProcessOptionsParser::PerProcessOptionsParser(
"minimum allocation size from the OpenSSL secure heap",
&PerProcessOptions::secure_heap_min,
kAllowedInEnvironment);
AddOption("--openssl-shared-config",
"enable OpenSSL shared configuration",
&PerProcessOptions::openssl_shared_config,
kAllowedInEnvironment);
#endif // HAVE_OPENSSL
#if OPENSSL_VERSION_MAJOR >= 3
AddOption("--openssl-legacy-provider",
"enable OpenSSL 3.0 legacy provider",
&PerProcessOptions::openssl_legacy_provider,
kAllowedInEnvironment);

#endif // OPENSSL_VERSION_MAJOR
AddOption("--use-largepages",
"Map the Node.js static code to large pages. Options are "
Expand Down
1 change: 1 addition & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@ class PerProcessOptions : public Options {
std::string tls_cipher_list = DEFAULT_CIPHER_LIST_CORE;
int64_t secure_heap = 0;
int64_t secure_heap_min = 2;
bool openssl_shared_config = false;
#ifdef NODE_OPENSSL_CERT_STORE
bool ssl_openssl_cert_store = true;
#else
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ const conditionalOpts = [
return [
'--openssl-config',
common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
'--openssl-shared-config',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',
Expand Down