crypto: allow adding extra certs to well-known CAs
Checklist
-
make -j8 test
(UNIX), orvcbuild test nosign
(Windows) passes -
tests and/or benchmarks are included -
documentation is changed or added -
commit message follows commit guidelines
Affected core subsystem(s)
crypto,tls,https
Description of change
In closed environments, self-signed or privately signed certificates are commonly used, and rejected by Node.js since their root CAs are not well-known. Allow extending the set of well-known compiled-in CAs via environment, so they can be set as a matter of policy.
Note that #8334 addresses a similar but not identical use-case, and works better for those (like linux distributions) that are willing to recompile Node.js to use OpenSSL's default certificate store. #8334 doesn't address those who cannot recompile, do not have access to the system certificate store, or who are are on a system where the default certificate store is not exposed as an OpenSSL compatible store (for example, OS X and Windows).
See #3159 (closed), #8334
Partially fixes #4175 (closed) (particularly https://github.com/nodejs/node/issues/4175#issuecomment-171206355), and may also address https://github.com/Microsoft/tfs-cli/issues/118 and https://github.com/apigee/microgateway-core/issues/9 without forcing them to recompile node.