use the system certificate store instead of the bundled copy

both are based on the Mozilla CA list, so the only effect this should have is
  making additional certificates added by the system administrator available to
  node
This commit is contained in:
T.C. Hollingsworth 2014-05-02 18:24:05 -07:00
parent 7269177e52
commit e034863719
2 changed files with 79 additions and 2 deletions

View File

@ -0,0 +1,58 @@
Description: do not bundle CA certificates, openssl on Debian have them
As a consequence, nodejs must depend on ca-certificates.
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -64,7 +64,6 @@
namespace node {
const char* root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
NULL
};
@@ -561,32 +560,16 @@
assert(sc->ca_store_ == NULL);
if (!root_cert_store) {
- root_cert_store = X509_STORE_new();
-
- for (int i = 0; root_certs[i]; i++) {
- BIO *bp = BIO_new(BIO_s_mem());
-
- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
- BIO_free(bp);
- return False();
- }
-
- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
-
- if (x509 == NULL) {
- BIO_free(bp);
- return False();
- }
-
- X509_STORE_add_cert(root_cert_store, x509);
-
- BIO_free(bp);
- X509_free(x509);
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+ } else {
+ // empty store
+ root_cert_store = X509_STORE_new();
}
+ } else {
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
}
-
sc->ca_store_ = root_cert_store;
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
return True();
}

View File

@ -1,6 +1,6 @@
Name: nodejs Name: nodejs
Version: 0.10.28 Version: 0.10.28
Release: 1%{?dist} Release: 2%{?dist}
Summary: JavaScript runtime Summary: JavaScript runtime
License: MIT and ASL 2.0 and ISC and BSD License: MIT and ASL 2.0 and ISC and BSD
Group: Development/Languages Group: Development/Languages
@ -23,6 +23,11 @@ Source7: nodejs_native.attr
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
Patch1: nodejs-disable-gyp-deps.patch Patch1: nodejs-disable-gyp-deps.patch
# use system certificates instead of the bundled ones
# modified version of Debian patch:
# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch
Patch2: nodejs-use-system-certs.patch
# V8 presently breaks ABI at least every x.y release while never bumping SONAME, # V8 presently breaks ABI at least every x.y release while never bumping SONAME,
# so we need to be more explicit until spot fixes that # so we need to be more explicit until spot fixes that
%global v8_ge 1:3.14.5.7 %global v8_ge 1:3.14.5.7
@ -40,6 +45,9 @@ BuildRequires: openssl-devel >= 1:1.0.1
Requires: v8%{?_isa} >= %{v8_ge} Requires: v8%{?_isa} >= %{v8_ge}
Requires: v8%{?_isa} < %{v8_lt} Requires: v8%{?_isa} < %{v8_lt}
# we need the system certificate store when Patch2 is applied
Requires: ca-certificates
#we need ABI virtual provides where SONAMEs aren't enough/not present so deps #we need ABI virtual provides where SONAMEs aren't enough/not present so deps
#break when binary compatibility is broken #break when binary compatibility is broken
%global nodejs_abi 0.10 %global nodejs_abi 0.10
@ -83,10 +91,15 @@ The API documentation for the Node.js JavaScript runtime.
%prep %prep
%setup -q -n node-v%{version} %setup -q -n node-v%{version}
%patch1 -p1
# remove bundled dependencies
%patch1 -p1
rm -rf deps rm -rf deps
# remove bundled CA certificates
%patch2 -p1
rm -f src/node_root_certs.h
%build %build
# build with debugging symbols and add defines from libuv (#892601) # build with debugging symbols and add defines from libuv (#892601)
export CFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' export CFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
@ -160,6 +173,12 @@ cp -p common.gypi %{buildroot}%{_datadir}/node
%{_defaultdocdir}/%{name}-docs-%{version} %{_defaultdocdir}/%{name}-docs-%{version}
%changelog %changelog
* Sat May 03 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.28-2
- use the system certificate store instead of the bundled copy
both are based on the Mozilla CA list, so the only effect this should have is
making additional certificates added by the system administrator available to
node
* Sat May 03 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.28-1 * Sat May 03 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.28-1
- new upstream release 0.10.28 - new upstream release 0.10.28
There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only