nodejs/nodejs-use-system-certs.patch
T.C. Hollingsworth e034863719 use the system certificate store instead of the bundled copy
both are based on the Mozilla CA list, so the only effect this should have is
  making additional certificates added by the system administrator available to
  node
2014-05-02 19:11:36 -07:00

58 lines
1.5 KiB
Diff

Description: do not bundle CA certificates, openssl on Debian have them
As a consequence, nodejs must depend on ca-certificates.
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -64,7 +64,6 @@
namespace node {
const char* root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
NULL
};
@@ -561,32 +560,16 @@
assert(sc->ca_store_ == NULL);
if (!root_cert_store) {
- root_cert_store = X509_STORE_new();
-
- for (int i = 0; root_certs[i]; i++) {
- BIO *bp = BIO_new(BIO_s_mem());
-
- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
- BIO_free(bp);
- return False();
- }
-
- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
-
- if (x509 == NULL) {
- BIO_free(bp);
- return False();
- }
-
- X509_STORE_add_cert(root_cert_store, x509);
-
- BIO_free(bp);
- X509_free(x509);
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+ } else {
+ // empty store
+ root_cert_store = X509_STORE_new();
}
+ } else {
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
}
-
sc->ca_store_ = root_cert_store;
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
return True();
}