-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: explicitly enable auto cert chaining #22110
Conversation
@nodejs/crypto |
@nodejs/security-wg |
Not objecting, but a couple of questions:
|
The specific behaviour I observed was when setting up a server with a self-signed cert, and providing the root/intermediate certs in the const server = https.createServer({
key: fs.readFileSync(path.join(certPath, 'server.key')),
cert: fs.readFileSync(path.join(certPath, 'server.pem')),
ca: [
fs.readFileSync(path.join(certPath, 'rootCA.pem')),
fs.readFileSync(path.join(certPath, 'intermediateCA.pem'))
],
requestCert: true,
rejectUnauthorized: false
}, ...) With automatic cert chaining, which is enabled by default in OpenSSL, a trust chain will be built for the cert on every handshake (see OpenSSL and BoringSSL, which also caches the chain). If this behaviour is disabled, which is the default in BoringSSL, then the certificate chain will not be automatically built from certs that are available in the CA list. I think changing this behaviour in node—to not build these chains automatically—has the potential to be fairly disruptive, since it changes core APIs (
See boringssl/42, which is closed as WontFix, since wpa_supplicant depends on the auto-chaining feature too. So its removal from BoringSSL seems unlikely. Even if it were removed from BoringSSL, since Node.js doesn't officially support BoringSSL, I imagine there'd be no work for the Node.js team to do at all :)
In Electron, the only other changes we need to get node to compile with BoringSSL are a few #defines. |
We most likely won't support BoringSSL officially (which isn't recommended by BoringSSL anyway). Personally, I am okay with merging this with a comment explaining why this line is necessary and maybe also a preprocessor directive to skip this for non-BoringSSL builds. Pinging @nodejs/tsc for opinions. |
No opinion on the change, but without at least a comment explaining the line, this risks being removed in a refactor at a later date. |
e90b790
to
bc35f30
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. CI failure is infrastructural. I'd say this PR is ready to land.
Landed in 7dae872. |
OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: #22110 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: #22110 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: #22110 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
OpenSSL enables this feature by default, but BoringSSL doesn't, because it's expensive and unnecessary (see boringssl/27 and boringssl/42). This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's.
Electron will be building node.js with BoringSSL in future, and we've floated this patch on our fork (see electron/node#47).
Checklist