From e51cf2ad2627af02e88df48287fe510e885ba1dc Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 Dec 2015 16:29:07 -0500 Subject: [PATCH 2/2] Do not bundle CA Certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CA Certificates are provided by Fedora. Forwarded: need some feedback before submitting the matter upstream Author: J?r?my Lal Last-Update: 2014-03-02 Modified 2014-05-02 by T.C. Hollingsworth with the correct path for Fedora Modified 2015-12-01 by Stephen Gallagher to update for Node.js 4.2 Modified 2016-03-04 by Stephen Gallagher to update for Node.js 5.7.1 Modified 2016-04-25 by Joseph Wang to update for Node.js 5.11.0 Modified 2016-07-10 by Zuzana Svetlikova to update for Node.js 6.3.0 --- node/src/node_crypto.cc 2016-07-10 19:03:17.184502913 +0200 +++ node_crypto.cc 2016-07-10 18:56:28.956440528 +0200 @@ -118,7 +118,7 @@ static Mutex* mutexes; const char* const root_certs[] = { -#include "node_root_certs.h" // NOLINT(build/include_order) + NULL }; X509_STORE* root_cert_store; @@ -752,29 +752,17 @@ CHECK_EQ(sc->ca_store_, nullptr); if (!root_cert_store) { - root_cert_store = X509_STORE_new(); - - for (size_t i = 0; i < arraysize(root_certs); i++) { - BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); - if (bp == nullptr) { - return; - } - - X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); - if (x509 == nullptr) { - BIO_free_all(bp); - return; - } - - X509_STORE_add_cert(root_cert_store, x509); - - BIO_free_all(bp); - X509_free(x509); + if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) { + root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); + } else { + // empty store + root_cert_store = X509_STORE_new(); } + } else { + SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); } sc->ca_store_ = root_cert_store; - SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); }