Skip to content

Commit

Permalink
src: check node_extra_ca_certs after openssl cfg
Browse files Browse the repository at this point in the history
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: #48159
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Minwoo Jung <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
ckcr4lyf authored and targos committed May 30, 2023
1 parent ed45142 commit b8f4070
Showing 1 changed file with 6 additions and 5 deletions.
11 changes: 6 additions & 5 deletions src/node.cc
Original file line number Diff line number Diff line change
Expand Up @@ -961,11 +961,6 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
return ret;
};

{
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
// In the case of FIPS builds we should make sure
// the random source is properly initialized first.
#if OPENSSL_VERSION_MAJOR >= 3
Expand Down Expand Up @@ -1052,6 +1047,12 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
CHECK(crypto::CSPRNG(buffer, length).is_ok());
return true;
});

{
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
#endif // HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
}

Expand Down

0 comments on commit b8f4070

Please sign in to comment.