nodejs/nodejs-use-system-certs.patch

59 lines
1.5 KiB
Diff
Raw Normal View History

Description: do not bundle CA certificates, openssl on Debian have them
As a consequence, nodejs must depend on ca-certificates.
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -64,7 +64,6 @@
namespace node {
const char* root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
NULL
};
@@ -561,32 +560,16 @@
assert(sc->ca_store_ == NULL);
if (!root_cert_store) {
- root_cert_store = X509_STORE_new();
-
- for (int i = 0; root_certs[i]; i++) {
- BIO *bp = BIO_new(BIO_s_mem());
-
- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
- BIO_free(bp);
- return False();
- }
-
- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
-
- if (x509 == NULL) {
- BIO_free(bp);
- return False();
- }
-
- X509_STORE_add_cert(root_cert_store, x509);
-
- BIO_free(bp);
- X509_free(x509);
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+ } else {
+ // empty store
+ root_cert_store = X509_STORE_new();
}
+ } else {
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
}
-
sc->ca_store_ = root_cert_store;
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
return True();
}