-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: copy client CAs and cert store on CertCb #3537
Conversation
|
||
template <class Base> | ||
int SSLWrap<Base>::SetCACerts(SecureContext* sc) { | ||
SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should check the return code here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, though it can't fail in current OpenSSL implementation.
Left some comments. The commit log could go into more detail into why this change is necessary. |
@bnoordhuis pushed fixes, thanks! |
CI seems to be green, LGTY @bnoordhuis ? |
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772
387e4b9
to
7f60df5
Compare
@bnoordhuis updated commit message too |
|
||
STACK_OF(X509_NAME)* list = SSL_dup_CA_list( | ||
SSL_CTX_get_client_CA_list(sc->ctx_)); | ||
SSL_set_client_CA_list(ssl_, list); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment explaining that SSL_set_client_CA_list
takes ownership of the duplicate? And maybe explain why you copy it from the SSL_CTX
to the SSL
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK.
All fixed, PTAL @bnoordhuis |
LGTM |
Landed in 483a41c, thank you! |
I'm having trouble working out if this is a bugfix or something closer to a semver-minor. @indutny can you make a call on whether this would qualify for backporting to LTS? |
This is a bugfix. |
I think it qualifies for backport. |
The line on this one may be rather fuzzy but I tend to agree with @indutny |
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772 PR-URL: nodejs#3537 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772 PR-URL: nodejs#3537 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Copy client CA certs and cert store when asynchronously selecting
SecureContext
duringSNICallback
.Fix: #2772
cc @nodejs/crypto