tls: include OpenSSL CAs in default CA list by Archkon · Pull Request #64269 · nodejs/node · GitHub
Skip to content

tls: include OpenSSL CAs in default CA list#64269

Open
Archkon wants to merge 1 commit into
nodejs:mainfrom
Archkon:tls
Open

tls: include OpenSSL CAs in default CA list#64269
Archkon wants to merge 1 commit into
nodejs:mainfrom
Archkon:tls

Conversation

@Archkon

@Archkon Archkon commented Jul 3, 2026

Copy link
Copy Markdown

Fixes: #64258

  When --use-openssl-ca is enabled, TLS clients use OpenSSL's
  default certificate locations, but tls.getCACertificates('default')
  did not include those certificates.

  Expose the enumerable OpenSSL default CA certificates through the
  crypto binding and include them in the default CA list returned by
  tls.getCACertificates('default').

  Also add regression coverage using SSL_CERT_FILE to avoid depending
  on the host system CA store.

Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings labels Jul 3, 2026

if (!cert_dir.empty()) {
LoadCertsFromDir(system_store_certs, cert_dir.c_str());
LoadCertsFromOpenSSLDirs(system_store_certs, cert_dir);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test for the case where multiple directories are used?

Comment thread doc/api/tls.md

@joyeecheung joyeecheung Jul 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to document that the certificates queried this way will diverge from what --use-openssl-ca actually uses to verify the certificates: --use-system-ca differs in that it trusts all certificates from the directories without the hash lookup, which is also e.g. what go's client does, but --use-openssl-ca actually filters https://docs.openssl.org/1.1.1/man3/X509_LOOKUP_hash_dir/#hashed-directory-method

I am somewhat skeptical whether this should be implemented without a hash lookup, though. Another workaround is to accept a second parameter that indicates the ceritifcate/subject name we are filtering for. I think we will also need a 'openssl' type that takes this filtering argument.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls.getCACertificates("default") always returns an empty list when using --use-openssl-ca

3 participants