Skip to content

Commit

Permalink
src: check node_extra_ca_certs after openssl cfg
Browse files Browse the repository at this point in the history
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: #48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
  • Loading branch information
ckcr4lyf authored and MoLow committed Jul 6, 2023
1 parent d9a68b8 commit 5445835
Showing 1 changed file with 6 additions and 5 deletions.
11 changes: 6 additions & 5 deletions src/node.cc
Original file line number Diff line number Diff line change
Expand Up @@ -969,11 +969,6 @@ std::unique_ptr<InitializationResult> InitializeOncePerProcess(
return ret;
};

{
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
// In the case of FIPS builds we should make sure
// the random source is properly initialized first.
#if OPENSSL_VERSION_MAJOR >= 3
Expand Down Expand Up @@ -1058,6 +1053,12 @@ std::unique_ptr<InitializationResult> InitializeOncePerProcess(
CHECK(crypto::CSPRNG(buffer, length).is_ok());
return true;
});

{
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
#endif // HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
}

Expand Down

0 comments on commit 5445835

Please sign in to comment.