diff options
author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2017-11-06 10:30:29 +0100 |
---|---|---|
committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2017-11-10 05:47:20 +0100 |
commit | cad1d1ff457afb93034b995111ef1b8cc1f08d82 (patch) | |
tree | eb54609be0fedc8beb2eb5b5b3282f91ddf36ac7 /src/node_crypto.cc | |
parent | 44d3e17985befbd45457d5ad7f0a0387849e1b2f (diff) | |
download | android-node-v8-cad1d1ff457afb93034b995111ef1b8cc1f08d82.tar.gz android-node-v8-cad1d1ff457afb93034b995111ef1b8cc1f08d82.tar.bz2 android-node-v8-cad1d1ff457afb93034b995111ef1b8cc1f08d82.zip |
src: add openssl-system-ca-path configure option
The motivation for this commit is that we need to specify system CA
certificates when building node. While we are aware of the environment
variable NODE_EXTRA_CA_CERTS this is not a great solution as we build
an RPM and we also don't want users to be able to unset them.
The suggestion is to add a configure time property like this:
--openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH
Use the specified path to system CA (PEM format) in
addition to the OpenSSL supplied CA store or compiled-
in Mozilla CA copy.
Usage example:
$ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt
This would add the specified CA certificates in addition to the ones
already being used.
PR-URL: https://github.com/nodejs/node/pull/16790
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Diffstat (limited to 'src/node_crypto.cc')
-rw-r--r-- | src/node_crypto.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/node_crypto.cc b/src/node_crypto.cc index c692a83292..0332daf68e 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -140,6 +140,8 @@ static const char* const root_certs[] = { #include "node_root_certs.h" // NOLINT(build/include_order) }; +static const char system_cert_path[] = NODE_OPENSSL_SYSTEM_CERT_PATH; + static std::string extra_root_certs_file; // NOLINT(runtime/string) static X509_STORE* root_cert_store; @@ -792,6 +794,9 @@ static X509_STORE* NewRootCertStore() { } X509_STORE* store = X509_STORE_new(); + if (*system_cert_path != '\0') { + X509_STORE_load_locations(store, system_cert_path, nullptr); + } if (ssl_openssl_cert_store) { X509_STORE_set_default_paths(store); } else { |