Use system certificate store when running under Windows

[jupjohn]

What is the problem this feature will solve?

Currently, when servers present certificates that are signed by a self-signed CA (e.g. a corporate HTTPS inspection firewall, or an internal NPM registry) AND the CA certificate is present in the Windows certificate store, the connection will fail due to CA root verification. This is most noticeable when installing packages via NPM behind corporate proxies - ending up in installation failing due to cert verification.

What is the feature you are proposing to solve the problem?

In OpenSSL 3.2, support was added to use the Windows cert store as OpenSSL's CA store. While node currently doesn't use 3.2, when it eventually makes the move I would suggest defaulting the cert store to org.openssl.winstore:// - allowing any CA root certs to be picked up from the system.

What alternatives have you considered?

• Manually extract certificates from the Windows certificate store and pass to OpenSSL on process init (may require privilege escalation, no thanks)
• Export all Windows certificates and load them using NODE_EXTRA_CA_CERTS (works, but would be one less thing to worry about if the Windows cert store was used)

[jupjohn]

I'm unsure if this would prevent the winstore module from being built in OpenSSL, but I did notice that node disables dynamic engines & the Windows CAPI in openssl.gypi to "avoid build errors on Win"

Removing those two defines from the build doesn't seem to break it for me, so there's a potential that they can be removed if required. Maybe there's a good reason why dynamic engines are disabled 🤷‍♂️

[NoCopy]

In light of the recent ESET issue outlined here https://forum.eset.com/topic/40702-eset-ssl-protection-produces-an-invalid-certificate-chain-for-nodejs-apps this deserves higher priority.

Not only for the fact that there was a problem with ESET (and potential scanners in the future) but for the fact that Node windows certificate issues have always been a pain in the ass / issue outside of that particular problem.

Windows certificate store has been around forever and is a core security feature of the OS. There is no excuse not to support it especially after OpenSSL officially supports it now.

[github-actions]

There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the never-stale Mark issue so that it is never considered stale label or close this issue if it should be closed. If not, the issue will be automatically closed 6 months after the last non-automated comment.
For more information on how the project manages feature requests, please consult the feature request management document.

[stasberkov]

Working on Windows with nodejs and custom certificates is a pain. Please implement this feature.

[timtucker-dte]

This is definitely an issue for us.

Setting NODE_TLS_REJECT_UNAUTHORIZED=0 to disable certificate validation completely works as a kludge to get local development up and running, but including it anywhere near a code base introduces the unnecessary risk of someone accidentally pushing the setting to a production environment.

[arontsang]

How is this not fixed already?

[joyeecheung]

This has been fixed by #56833 under --use-system-ca.