e034863719
both are based on the Mozilla CA list, so the only effect this should have is making additional certificates added by the system administrator available to node
59 lines
1.5 KiB
Diff
59 lines
1.5 KiB
Diff
Description: do not bundle CA certificates, openssl on Debian have them
|
|
As a consequence, nodejs must depend on ca-certificates.
|
|
Forwarded: need some feedback before submitting the matter upstream
|
|
Author: Jérémy Lal <kapouer@melix.org>
|
|
Last-Update: 2014-03-02
|
|
|
|
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
|
|
correct path for Fedora
|
|
--- a/src/node_crypto.cc
|
|
+++ b/src/node_crypto.cc
|
|
@@ -64,7 +64,6 @@
|
|
namespace node {
|
|
|
|
const char* root_certs[] = {
|
|
-#include "node_root_certs.h" // NOLINT(build/include_order)
|
|
NULL
|
|
};
|
|
|
|
@@ -561,32 +560,16 @@
|
|
assert(sc->ca_store_ == NULL);
|
|
|
|
if (!root_cert_store) {
|
|
- root_cert_store = X509_STORE_new();
|
|
-
|
|
- for (int i = 0; root_certs[i]; i++) {
|
|
- BIO *bp = BIO_new(BIO_s_mem());
|
|
-
|
|
- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
|
|
- BIO_free(bp);
|
|
- return False();
|
|
- }
|
|
-
|
|
- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
|
|
-
|
|
- if (x509 == NULL) {
|
|
- BIO_free(bp);
|
|
- return False();
|
|
- }
|
|
-
|
|
- X509_STORE_add_cert(root_cert_store, x509);
|
|
-
|
|
- BIO_free(bp);
|
|
- X509_free(x509);
|
|
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
|
|
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
|
|
+ } else {
|
|
+ // empty store
|
|
+ root_cert_store = X509_STORE_new();
|
|
}
|
|
+ } else {
|
|
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
|
|
}
|
|
-
|
|
sc->ca_store_ = root_cert_store;
|
|
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
|
|
|
|
return True();
|
|
}
|