-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: tls.rootCertificates empty #32229
Comments
Furthermore, the build is failing with the tests that were added in the commit. https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs13
|
/cc @nodejs/crypto @addaleax @bnoordhuis @ebickle |
Will take a look. Has the original commit been reverted or are you looking for an additional commit/fix over top? The issue likely relates to the behavior of |
I've reverted it for testing purposes. Of course what we need is fix the regression and also fix the original issue. |
I've narrowed the issue down to the following:
A proper fix for this will need to load all certificates into the X509_STORE instead of on-demand. I need to dig a bit deeper to see if there's an existing OpenSSL function for doing so. Can anyone think of any potential issues if the "on-demand lookup" certificates were completely loaded into the X509_STORE cache? |
The biggest one is probably performance? |
I agree. All solutions, regardless of technology, will require an unknown number of certificates to be loaded from the filesystem whenever In terms of technology, OpenSSL appears to lack a function to repopulate the cache. Loading all of the certificates would likely require listing all files in the certificate directory, filtering out any filename that doesn't match the hashing pattern, then loading each file as an X509 certificate into memory. There are only two sensible locations to put any code
There aren't any good alternate options either:
The original request that lead to the creation of We have a similar issue at the company I work for, and I had been planning on submitting a subsequent PR to add setter support to At this point, there are a few design approaches:
4a is the simplest option - do nothing. I'm equally torn between 2, 3, and 4b. |
On 3/13/20 2:53 PM, Eric Bickle wrote:
1. During the first call to |tls.rootCertificates|. The load would have
to be synchronous.
This would be OK. Could also add a function to do this async.
Current documentation doesn't specify this is a settable value, but I
guess it could be extended.
https://nodejs.org/dist/latest-v13.x/docs/api/tls.html#tls_tls_rootcertificates
2. Return a blank array from get tls.rootCertificates when system
certificates are used, document the behavior, add set
tls.rootCertificates to allow the cert store to be modified.
I've never actually checked the current tls.rootCertificates if it was
embedded certs or OpenSSL's. As long as actual connection used system
CA, there are no issues on my side. I'm happy if this returns [] if the
documentation says that it returns only added user certs on top of the
system CAs.
But the tests should not fail in this case either ;)
- Adam
PS. OpenSSL doesn't load the entire cert store to verify certificates
(unless the cert store is a file, not a path). The hash links in the
store path are used to load certificates on-demand.
|
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
Crypto team, could I get some feedback on what you'd recommend as the best option to resolve this issue? Options:
#4 is non-deterministic. The others have similar pros and cons. |
I prefer (1). #25824 asked for a way to obtain the built-in certificates and that's why I added |
A fix to tls.rootCertificates to have it correctly return the process' current root certificates resulted in non-deterministic behavior when Node.js is configured to use an OpenSSL system or file-based certificate store. The safest action is to revert the change and change the specification for tls.rootCertificates to state that it only returns the bundled certificates instead of the current ones. Fixes: nodejs#32229 Refs: nodejs#32074
Update tls.rootCertificates documentation to clarify that it returns the bundled Node.js root certificates rather than the root certificates used by tls.createSecureContext. Fixes: nodejs#32074 Refs: nodejs#32229
Update tls.rootCertificates documentation to clarify that it returns the bundled Node.js root certificates rather than the root certificates used by tls.createSecureContext. Fixes: nodejs#32074 Refs: nodejs#32229 PR-URL: nodejs#33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
A fix to tls.rootCertificates to have it correctly return the process' current root certificates resulted in non-deterministic behavior when Node.js is configured to use an OpenSSL system or file-based certificate store. The safest action is to revert the change and change the specification for tls.rootCertificates to state that it only returns the bundled certificates instead of the current ones. Fixes: #32229 Refs: #32074 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
Update tls.rootCertificates documentation to clarify that it returns the bundled Node.js root certificates rather than the root certificates used by tls.createSecureContext. Fixes: #32074 Refs: #32229 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
A fix to tls.rootCertificates to have it correctly return the process' current root certificates resulted in non-deterministic behavior when Node.js is configured to use an OpenSSL system or file-based certificate store. The safest action is to revert the change and change the specification for tls.rootCertificates to state that it only returns the bundled certificates instead of the current ones. Fixes: #32229 Refs: #32074 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
Update tls.rootCertificates documentation to clarify that it returns the bundled Node.js root certificates rather than the root certificates used by tls.createSecureContext. Fixes: #32074 Refs: #32229 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
A fix to tls.rootCertificates to have it correctly return the process' current root certificates resulted in non-deterministic behavior when Node.js is configured to use an OpenSSL system or file-based certificate store. The safest action is to revert the change and change the specification for tls.rootCertificates to state that it only returns the bundled certificates instead of the current ones. Fixes: #32229 Refs: #32074 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
Update tls.rootCertificates documentation to clarify that it returns the bundled Node.js root certificates rather than the root certificates used by tls.createSecureContext. Fixes: #32074 Refs: #32229 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
A fix to tls.rootCertificates to have it correctly return the process' current root certificates resulted in non-deterministic behavior when Node.js is configured to use an OpenSSL system or file-based certificate store. The safest action is to revert the change and change the specification for tls.rootCertificates to state that it only returns the bundled certificates instead of the current ones. Fixes: #32229 Refs: #32074 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
Update tls.rootCertificates documentation to clarify that it returns the bundled Node.js root certificates rather than the root certificates used by tls.createSecureContext. Fixes: #32074 Refs: #32229 PR-URL: #33313 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
For environments that use system CA store by configuring with --openssl-use-def-ca-store --shared-openssl
What steps will reproduce the bug?
After reverting commit 091444a
So this is a regression after fixing #32074
The text was updated successfully, but these errors were encountered: