crypto: add NODE_EXTRA_CA_CERTS to modified cert stores #44448
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes the
NODE_EXTRA_CA_CERTS
root certificates being missing in a SecureContext when thecrl
orpfx
options are specified in a call totls.createSecureContext()
.As part of this change, specifying
NODE_EXTRA_CA_CERTS
no longer causes the bundled CA store to be immediately loaded at startup. Instead, the bundled CAs will be loaded on the first call totls.createSecureContext()
, the same as how Node.js works by default. This improves startup performance and partially mitigates issue #40524.Due to the deferred bundled CA loading described above, the
NODE_EXTRA_CA_CERTS
are now loaded into theX509_STORE
before the bundled certificates instead of after. Please let me know if this creates a risk of a breaking change; I opted for simpler logic for the initial PR.Fixes: #32010
Refs: #40524