crypto: use X509_V_FLAG_TRUSTED_FIRST for tls

deps/openssl/openssl/apps/apps.c

@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *pargc,
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+	else if (!strcmp(arg, "-trusted_first"))
+		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
 		return 0;
 

deps/openssl/openssl/crypto/x509/x509_vfy.c

@@ -206,6 +206,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		/* If we are self signed, we break */
 		if (ctx->check_issued(ctx, x,x)) break;
 
+		/* If asked see if we can find issuer in trusted store first */
+		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+			{
+			ok = ctx->get_issuer(&xtmp, ctx, x);
+			if (ok < 0)
+				return ok;
+			/* If successful for now free up cert so it
+			 * will be picked up again later.
+			 */
+			if (ok > 0)
+				{
+				X509_free(xtmp);
+				break;
+				}
+			}
+
 		/* If we were passed a cert chain, use it first */
 		if (ctx->untrusted != NULL)
 			{

deps/openssl/openssl/crypto/x509/x509_vfy.h

@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_USE_DELTAS			0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
+/* Use trusted store first */
+#define X509_V_FLAG_TRUSTED_FIRST		0x8000
 
 
 #define X509_VP_FLAG_DEFAULT			0x1

src/node_crypto.cc

@@ -350,6 +350,12 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   SSL_CTX_sess_set_get_cb(sc->ctx_, SSLWrap<Connection>::GetSessionCallback);
   SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback);
 
+  if (sc->verify_param_ == nullptr) {
+    sc->verify_param_ = X509_VERIFY_PARAM_new();
+    X509_VERIFY_PARAM_set_flags(sc->verify_param_, X509_V_FLAG_TRUSTED_FIRST);
+  }
+  SSL_CTX_set1_param(sc->ctx_, sc->verify_param_);
+
   sc->ca_store_ = nullptr;
 }
 

src/node_crypto.h

@@ -56,6 +56,7 @@ class SecureContext : public BaseObject {
 
   static void Initialize(Environment* env, v8::Handle<v8::Object> target);
 
+  X509_VERIFY_PARAM* verify_param_;
   X509_STORE* ca_store_;
   SSL_CTX* ctx_;
   X509* cert_;
@@ -92,6 +93,7 @@ class SecureContext : public BaseObject {
 
   SecureContext(Environment* env, v8::Local<v8::Object> wrap)
       : BaseObject(env, wrap),
+        verify_param_(nullptr),
         ca_store_(nullptr),
         ctx_(nullptr),
         cert_(nullptr),
@@ -113,10 +115,13 @@ class SecureContext : public BaseObject {
         X509_free(cert_);
       if (issuer_ != nullptr)
         X509_free(issuer_);
+      if (verify_param_ != nullptr)
+        X509_VERIFY_PARAM_free(verify_param_);
       ctx_ = nullptr;
       ca_store_ = nullptr;
       cert_ = nullptr;
       issuer_ = nullptr;
+      verify_param_ = nullptr;
     } else {
       CHECK_EQ(ca_store_, nullptr);
     }

src/node_root_certs.h

@@ -88,21 +88,6 @@
 "2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4\n"
 "-----END CERTIFICATE-----\n",
 
-/* Verisign Class 3 Public Primary Certification Authority */
-"-----BEGIN CERTIFICATE-----\n"
-"MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMC\n"
-"VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQ\n"
-"cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgw\n"
-"MTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD\n"
-"VQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGf\n"
-"MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ\n"
-"2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaO\n"
-"IG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G\n"
-"CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Dolbwdj2ws\n"
-"qFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNycAA9WjQKZ7aKQRUzk\n"
-"uxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k\n"
-"-----END CERTIFICATE-----\n",
-
 /* Verisign Class 3 Public Primary Certification Authority - G2 */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYT\n"