cli: add NODE_USE_SYSTEM_CA=1 · nodejs/node@471fe71 · GitHub
Skip to content

Commit 471fe71

Browse files
joyeecheungRafaelGSS
authored andcommitted
cli: add NODE_USE_SYSTEM_CA=1
Similar to how NODE_USE_ENV_PROXY complements --use-env-proxy, this complements --use-system-ca. This will allow the setting to be applied to workers individually in the future. PR-URL: #59276 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ethan Arrowood <ethan@arrowood.dev> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
1 parent 64add63 commit 471fe71

5 files changed

Lines changed: 113 additions & 0 deletions

File tree

doc/api/cli.md

Lines changed: 13 additions & 0 deletions

doc/node.1

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -841,6 +841,12 @@ This currently only affects requests sent over
841841
.Ar fetch() .
842842
Support for other built-in http and https methods is under way.
843843
.
844+
.It Ev NODE_USE_SYSTEM_CA
845+
Similar to
846+
.Fl -use-system-ca .
847+
Use the trusted CA certificates present in the system store, in addition to the certificates in the
848+
bundled Mozilla CA store and certificates from `NODE_EXTRA_CA_CERTS`.
849+
.
844850
.It Ev NODE_V8_COVERAGE Ar dir
845851
When set, Node.js writes JavaScript code coverage information to
846852
.Ar dir .

src/node.cc

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -868,6 +868,15 @@ static ExitCode InitializeNodeWithArgsInternal(
868868
// default value.
869869
V8::SetFlagsFromString("--rehash-snapshot");
870870

871+
#if HAVE_OPENSSL
872+
// TODO(joyeecheung): make this a per-env option and move the normalization
873+
// into HandleEnvOptions.
874+
std::string use_system_ca;
875+
if (credentials::SafeGetenv("NODE_USE_SYSTEM_CA", &use_system_ca) &&
876+
use_system_ca == "1") {
877+
per_process::cli_options->use_system_ca = true;
878+
}
879+
#endif // HAVE_OPENSSL
871880
HandleEnvOptions(per_process::cli_options->per_isolate->per_env);
872881

873882
std::string node_options;
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
'use strict';
2+
// This tests that NODE_USE_SYSTEM_CA environment variable works the same
3+
// as --use-system-ca flag by comparing certificate counts.
4+
5+
const common = require('../common');
6+
if (!common.hasCrypto) common.skip('missing crypto');
7+
8+
const tls = require('tls');
9+
const { spawnSyncAndExitWithoutError } = require('../common/child_process');
10+
11+
const systemCerts = tls.getCACertificates('system');
12+
if (systemCerts.length === 0) {
13+
common.skip('no system certificates available');
14+
}
15+
16+
const { child: { stdout: expectedLength } } = spawnSyncAndExitWithoutError(process.execPath, [
17+
'--use-system-ca',
18+
'-p',
19+
`tls.getCACertificates('default').length`,
20+
], {
21+
env: { ...process.env, NODE_USE_SYSTEM_CA: '0' },
22+
});
23+
24+
spawnSyncAndExitWithoutError(process.execPath, [
25+
'-p',
26+
`assert.strictEqual(tls.getCACertificates('default').length, ${expectedLength.toString()})`,
27+
], {
28+
env: { ...process.env, NODE_USE_SYSTEM_CA: '1' },
29+
});
Lines changed: 56 additions & 0 deletions

0 commit comments

Comments
 (0)