please provide a way to use system-installed root certificates instead of bundled ones #3159
Comments
mscdex
added
tls
|
probably a feature for /cc @nodejs/crypto @nodejs/build |
|
+1 We need this feature too - I'm working with a corporate that uses RapidSSL - which is not in the bundled certs list (As far as I can see). Thanks |
|
I like this as well. Can you file a PR? |
|
+1 This is also needed for decrypting corporate firewalls that use self-signed certificates which have been placed into OS cert stores by IT automation. |
|
PR: #8334 should fix this issue. |
|
https://github.com/capriza/syswide-cas provides a temporary workaround by loading certs from system wide directories and automatically using them in conjunction with the bundled root CAs |
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs#3159 PR-URL: nodejs#8334
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs#3159 PR-URL: nodejs#8334 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs#3159 PR-URL: nodejs#8334 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs#3159 PR-URL: nodejs#8334 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs#3159 PR-URL: nodejs#8334 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: #3159 PR-URL: #8334 Backport-PR-URL: #11794 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: #3159 PR-URL: #8334 Backport-PR-URL: #11794 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs/node#3159 PR-URL: nodejs/node#8334 Backport-PR-URL: nodejs/node#11794 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
|
This is only solved for OpenSSL. In Windows, the system trust store is managed by CertMgr. In macOS it’s Keychain. Both should also be supported. Please re-open this issue. |
|
Node.js only supports OpenSSL, this feature requested by @kapouer was implemented. You can open another feature request if you'd like. Be aware that a node feature request, either open or closed, doesn't imply that anyone is going to volunteer to implement it. Since doing this would require a new OpenSSL cert store, I recommend opening an issue against OpenSSL, or asking on their mailing list. Maybe there is a solution already, or they can point you to previous discussions. I'd be very surprised if this hadn't been requested of them before. |
How did this work in Windows? AFAIK Windows doesn’t support OpenSSL officially. |
|
Node.js includes a copy of OpenSSL, it doesn't need to be supported by Windows. |
|
To access the system certificate inside of Windows/MacOS, need additional implementation. In my case, this issue is quite important since big companies restrict access to internal services with an unexportable self-signed certificate(which is located in system keystore) for security concerns. |
|
Is this really still an issue? |
|
@thebigredgeek Yes, in an enterprise environment, the security team strictly prohibits the export of SSO client certificate(which is in system Keystore). And internal services also do not provide any technical account nor token. |
|
If this was completed, how do I use system-installed root certificates instead of bundled ones? It seems like there are tools to explicitly add my certificates to nodejs, but I can't find any documentation about how to get it to forget about its own certificate store, and only use my system store (particularly, without providing any paths). |
If you expect node to magically know where your system's certificate store can be found, it doesn't, bad expectation, but you can point it in the right direction with the |
No, that's the whole point of Windows keeping certs in a well-known system-managed store in the registry. Native Windows apps look for certs by specifying a StoreLocation ( Exporting certificates to the filesystem and keeping it in sync isn't really idiomatic to the platform. It's a lowest-common-denominator approach to cross-platform support. |
|
For the purposes of this issue, node would load the certs from the |
|
As you can probably tell from the You could file a feature request with the openssl project but check its mailing list, it's a topic that's come up many times before and there are Reasons why things are the way they are. |
|
Without that context, I can't really address any of that history. It seems like using more than exclusively openssl could be an option. 🤷♂️ It's a topic for another forum, I guess. But there is also a Reason you'll continue to get this request. |
|
I agree with @brianary -- not providing paths is indeed the entire point. I maintain the list of my certificates once and only once in a central location, and the applications I use know to look, without any configuration, for the system certificates that come pre-installed on every operating system. Sure, different operating systems put them in different places. But Windows and Linux aren't the same and always require different treatment. Sure, different distros of linux could put their root certificate stores in different places, but they don't vary very much. The location of the certificates on MacOS is predictable. It's predictable. If I have to type in a filesystem path to run my interpreted program, there is a code-smell. My program won't work cross-platform, and it will be a giant pain for others to set up (and result in me fielding endless support questions about how to get their certificates installed correctly). It won't work in more strict corporate environments. It won't work in situations where certificates are managed by a 3rd party security division. As you say, decisions in the internal implementation of node have made it easier for you to not solve this problem, and allow people to find workarounds. But this isn't solved, and it's not magic. Other programs like wget and .NET Core seem to have this down without issue. |
|
From my perspective, it is simple. Just FYI, from some point of time, Firefox also started to refer system certificates optionally. I think this change makes a lot of sense. |
|
If you want a way forward: open a pull request implementing it for the Big Three (Linux, macOS, Windows) and see how it's received. Technologies:
|
|
The original patch was to use system CA by a system installed OpenSSL. From OpenSSL, https://mta.openssl.org/pipermail/openssl-users/2018-September/008691.html
On Linux systems, the system CA store/OpenSSL maintainer(s) would be alter these paths and install other certificates into these stores (or compatible ones). I know that we have to manage various databases of these things for different software, like Firefox or libnss. https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store So for Windows, if you would like Node to use the cert store from Windows, I think it's up to you to provide the code required. Just like it was up to someone to provide the code required to use non-bundled CA list on Linux. I don't think anyone else will start working on this unless there is interest. And for last few years, not much interest. You have the source code. Add the needed functionality (yourself or hire someone to do this for you). Make a Pull Request. Fix things that need to be fixed to get it accepted into Node proper. This is the power of open source - you have the power to change and improve the program incrementally for the "killer" features you must have. |
|
You're right about open source; I wish my job was set up for me to do this type of thing. Anybody else want to take a crack at it? 😋 |
|
|
NodeJS can already use an external, shared OpenSSL library. This library knows where to look for OS managed certificates. Allow a compile-time option to use this CA store by default instead of using bundled certificates. In case when using bundled OpenSSL, the paths are also valid for majority of Linux systems without additional intervention. If this is not set, we can use SSL_CERT_DIR to point it to correct location. Fixes: nodejs/node#3159 PR-URL: nodejs/node#8334 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
This is related to #1256.
In debian and derivatives, and probably other distributions too,
certificates are managed and configured system-wide.
For example /etc/ssl/certs/ca-certificates.crt which is also user-configurable.
It is so expected and useful that it'd be nice to add a configure switch to nodejs
so that it bundles a custom file, or even better, a runtime switch.
Currently i have a patch on nodejs partially doing that,
and i kept it beside me until someone complained it wasn't in the original release.
The text was updated successfully, but these errors were encountered: