Fix CA certificates #189
Merged
Fix CA certificates #189
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mariotaku
approved these changes
Jun 10, 2024
kitsuned
requested changes
Jun 11, 2024
throwaway96
force-pushed
the
cert-fix-2-20240609
branch
from
10ed3ba to
9fa72be
Compare
This was
linked to
issues
Jun 13, 2024
|
hey, @throwaway96! you and i may come to some agreement. :) |
|
Can we please just get this merged so the homebrew channel actually works again? |
This should work on all webOS versions. It loads certificates from the Mozilla CA cert bundle. Users may add additional certs by placing PEM-encoded files in the "certs" directory. The code for loading the certs can be found at: https://github.com/throwaway96/node-load-cert-dir
throwaway96
force-pushed
the
cert-fix-2-20240609
branch
from
9fa72be to
bede23f
Compare
|
I think this can be merged once we get a few positive reports from people testing v0.7.0-test2. Worked fine for me on webOS 6 (o20n). |
kitsuned
approved these changes
Aug 4, 2024
|
The v0.7.0-test2 of Homebrew Channel works for my LG SM9000PLA with webOS 4.x and firmware v05.40.45 🥳 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
nodebinary contains a built-in set of trusted CA certificates that never gets updated. Therefore, Node.js services are stuck using whatever certs were bundled when that potentially ancient Node version was released.Newer versions of Node.js (on webOS 5+) support the
--use-openssl-caoption, which makesnodeuse/etc/ssl/certsinstead of its own bundle—but that doesn't help us on older versions. Indeed, there doesn't seem to be a clean way to fix this globally on Node 0.10.x and 0.12.x. So, I ended up creating a wrapper aroundfetch()that controls what certificates it trusts.All PEM certs in
<service dir>/certswill be treated as trusted. I have included the Mozilla CA cert bundle from curl, but users can also add additional certs. If people don't think that's useful, I could simplify the code by just loading a single file (which users could still modify). We could also theoretically just embed the certs in a JS file and avoid the "parsing" part altogether, but that would significantly reduce flexibility.While testing this on webOS 1, I was able to download and install Kodi and apps hosted on GitHub. It could use more testing on other webOS versions. It's not perfect, but I'm tired. And I want to get a release out this year.