tls: include OpenSSL CAs in default CA list#64269
Conversation
When --use-openssl-ca is enabled, TLS clients use OpenSSL's
default certificate locations, but tls.getCACertificates('default')
did not include those certificates.
Expose the enumerable OpenSSL default CA certificates through the
crypto binding and include them in the default CA list returned by
tls.getCACertificates('default').
Also add regression coverage using SSL_CERT_FILE to avoid depending
on the host system CA store.
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
|
|
||
| if (!cert_dir.empty()) { | ||
| LoadCertsFromDir(system_store_certs, cert_dir.c_str()); | ||
| LoadCertsFromOpenSSLDirs(system_store_certs, cert_dir); |
There was a problem hiding this comment.
Can you add a test for the case where multiple directories are used?
There was a problem hiding this comment.
I think we need to document that the certificates queried this way will diverge from what --use-openssl-ca actually uses to verify the certificates: --use-system-ca differs in that it trusts all certificates from the directories without the hash lookup, which is also e.g. what go's client does, but --use-openssl-ca actually filters https://docs.openssl.org/1.1.1/man3/X509_LOOKUP_hash_dir/#hashed-directory-method
I am somewhat skeptical whether this should be implemented without a hash lookup, though. Another workaround is to accept a second parameter that indicates the ceritifcate/subject name we are filtering for. I think we will also need a 'openssl' type that takes this filtering argument.

Fixes: #64258