crypto: add NODE_EXTRA_CA_CERTS to modified cert stores (!44448) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/ebickle/fix/tls-missing-extra-certificates into main Aug 30, 2022

Fixes the NODE_EXTRA_CA_CERTS root certificates being missing in a SecureContext when the crl or pfx options are specified in a call totls.createSecureContext().

As part of this change, specifying NODE_EXTRA_CA_CERTS no longer causes the bundled CA store to be immediately loaded at startup. Instead, the bundled CAs will be loaded on the first call to tls.createSecureContext(), the same as how Node.js works by default. This improves startup performance and partially mitigates issue #40524.

Due to the deferred bundled CA loading described above, the NODE_EXTRA_CA_CERTS are now loaded into the X509_STORE before the bundled certificates instead of after. Please let me know if this creates a risk of a breaking change; I opted for simpler logic for the initial PR.

Fixes: https://github.com/nodejs/node/issues/32010 Refs: https://github.com/nodejs/node/issues/40524

Admin message

Admin message

crypto: add NODE_EXTRA_CA_CERTS to modified cert stores

Merge request reports