Node 8 - OpenSSL client compatibility after DST Root CA X3 expiration (Let's Encrypt) #40282
Description
Version
v8.17.0
Platform
Linux 5.4.0-87-generic #98~18.04.1-Ubuntu SMP Wed Sep 22 10:45:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Subsystem
tls
What steps will reproduce the bug?
Any request done to a website signed by Let's Encrypt cross-signed certificate chain.
const https = require("https");
https.get("https://letsencrypt.org/", (res) => { console.log("PASS"); })How often does it reproduce? Is there a required condition?
A cross-signed certificate chain must be in use.
For now the only one i know is the one used by Let's Encrypt.
What is the expected behavior?
PASS
What do you see instead?
Error: certificate has expired
at TLSSocket.<anonymous> (_tls_wrap.js:1116:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:643:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38)
Additional information
Of Course I know that Node 8 is not supported anymore, but I'm working with an old code base. We tried multiple times to upgrade, but a memory leak, that only present it self on newer version, is stopping us each time.
The problem is with openssl, we need to add the flag X509_V_FLAG_TRUSTED_FIRST :
node/deps/openssl/openssl/crypto/x509/x509_vpm.c
Lines 535 to 545 in f85ec19
From master branch :
node/deps/openssl/openssl/crypto/x509/x509_vpm.c
Lines 474 to 485 in 35dc386
I've tested it and it works after the change. I'm not familiar with the PR process in place, but I can do one if you want me to.
Anyways... Since the fix is extremely simple and probably affects a significant amount of people, is it possible to make an exception ? If not, we can still build from source and run our own version of Node I guess 🤷♂️.