Extra CA certificates missing when certain TLS options specified #32010
Labels
tls
Issues and PRs related to the tls subsystem.
Comments
ebickle
added a commit
to ebickle/node
that referenced
this issue
Feb 28, 2020
Fixes SecureContext missing NODE_EXTRA_CA_CERTS when SecureContext::AddCACert, SecureContext::AddCRL, or SecureContext::LoadPKCS12 are called. Fixes: nodejs#32010
3 tasks
ebickle
added a commit
to ebickle/node
that referenced
this issue
Mar 17, 2020
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
3 tasks
MylesBorins
pushed a commit
to ebickle/node
that referenced
this issue
Mar 26, 2020
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
ebickle
added a commit
to ebickle/node
that referenced
this issue
Apr 8, 2020
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
ebickle
added a commit
to ebickle/node
that referenced
this issue
Aug 29, 2022
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
ebickle
added a commit
to ebickle/node
that referenced
this issue
Aug 30, 2022
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
ebickle
added a commit
to ebickle/node
that referenced
this issue
Aug 30, 2022
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
ebickle
added a commit
to ebickle/node
that referenced
this issue
Aug 30, 2022
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
ebickle
added a commit
to ebickle/node
that referenced
this issue
Sep 5, 2022
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
ebickle
added a commit
to ebickle/node
that referenced
this issue
Sep 6, 2022
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
ebickle
added a commit
to ebickle/node
that referenced
this issue
Jul 26, 2024
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
targos
pushed a commit
that referenced
this issue
Aug 14, 2024
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called, rather than losing them when unrelated options are provided. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues #20432, #20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: #32010 Refs: #40524 Refs: #23354 PR-URL: #44529 Reviewed-By: Tim Perry <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What steps will reproduce the bug?
Test Case 1: CRL
NODE_EXTRA_CA_CERTSenvironment variable to a root certificate file.tls.connect()and target a host that has a certificate signed off of the root certificate. Supply thecrloption.Test Case 2: PFX
NODE_EXTRA_CA_CERTSenvironment variable to a root certificate file.tls.connect()and target a host that has a certificate signed off of the root certificate. Supplypfxoption.Test Case 3: CA
NODE_EXTRA_CA_CERTSenvironment variable to a root certificate file.tls.createSecureContext()context.addCACerton the new secure context, passing it a different root certificate than the one specified inNODE_EXTRA_CA_CERTS.tls.connect()and target a host that has a certificate signed off of the root certificate specified inNODE_EXTRA_CA_CERTS. Supply thesecureContextoption.How often does it reproduce? Is there a required condition?
Reproduces 100% of the time.
What is the expected behavior?
Root certificates specified in
NODE_EXTRA_CA_CERTSshould always exist in a SecureContext whenever the Node.js hardcoded root certificates exist.What do you see instead?
In all three test cases, the TLS connection will incorrectly fail due the root certificate being untrusted. This occurs even though the necessary root certificate was specified in
NODE_EXTRA_CA_CERTS.Additional information
node_crypto.cc has multiple bugs where calls to
SecureContext::AddCACert,SecureContext::AddCRLandSecureContext::LoadPKCS12will create a new OpenSSL X509_STORE and fail to include the extra certificates.These functions call
NewRootCertStore(), which only loads the static root certificates and path-based system certificates.I'll submit a PR with reproduction unit tests and a bug fix.
The text was updated successfully, but these errors were encountered: