Description
Working in an enterprise setting, we have security tools that perform SSL decryption using self-signed certificates. This is often problematic for many developer tools.
Since some CLI tools that run on Node often ship with their own CLI shell wrapper executables, it is not always feasible to pass a command line argument to node for the --use-system-ca flag (see https://nodejs.org/en/blog/release/v23.8.0 and #56599 and #56833) in order to leverage the feature.
An example CLI tool that runs on Node.js is Salesforce CLI
The 'sf' command is provided through the following script when the package is installed:
#!/bin/sh
basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
case `uname` in
*CYGWIN*|*MINGW*|*MSYS*)
if command -v cygpath > /dev/null 2>&1; then
basedir=`cygpath -w "$basedir"`
fi
;;
esac
if [ -x "$basedir/node" ]; then
exec "$basedir/node" --no-deprecation "$basedir/node_modules/@salesforce/cli/bin/run.js" "$@"
else
exec node --no-deprecation "$basedir/node_modules/@salesforce/cli/bin/run.js" "$@"
fi
Due to the use of 'exec' to invoke Node, a workaround to make a shell wrapper function to override calls to Node and inject the --use-system-ca flag on all invocations is not feasible. The only workaround that tested successfully was to entirely either override 'sf' in ~/.bashrc or or manually edit the 'sf' script above after the package is installed.
There are other ways to work around certificate trust issues for self-signed certificates, but they are often more work or less secure.
Now that --use-system-ca functionality is available, it would be ideal to leverage this functionality with an environment variable rather than manually setting certificate paths, manually building a separate trust store, or using NODE_TLS_REJECT_UNAUTHORIZED=0.
Would it make sense to make --use-system-ca a default? As a Node user, I would expect Node to use the default certificate management system on the operating system I am running on (Windows, MacOS, RedHat, etc.) vs. having to configure Node to do so.
Best regards, and thank you for implementing --use-system-ca! The new feature dramatically simplifies the amount of manual hackery each developer needs to perform on their machines to work in our enterprise.