src: check node_extra_ca_certs after openssl cfg

I recently discovered that the custom NodeJS specific OpenSSL config section in openssl.cnf would not be respected, if the environment variable `NODE_EXTRA_CA_CERTS` was set. This happens even if it contains an invalid value, i.e no actual certs are read. Someone suggested moving the checking of extra ca certs to after the OpenSSL config is read, and this seems to work. PR-URL: #48159 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
nodejs · May 30, 2023 · b8f4070 · b8f4070
1 parent ed45142
commit b8f4070
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/src/node.cc b/src/node.cc
@@ -961,11 +961,6 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
       return ret;
     };
 
-    {
-      std::string extra_ca_certs;
-      if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
-        crypto::UseExtraCaCerts(extra_ca_certs);
-    }
     // In the case of FIPS builds we should make sure
     // the random source is properly initialized first.
 #if OPENSSL_VERSION_MAJOR >= 3
@@ -1052,6 +1047,12 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
       CHECK(crypto::CSPRNG(buffer, length).is_ok());
       return true;
     });
+
+    {
+      std::string extra_ca_certs;
+      if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+        crypto::UseExtraCaCerts(extra_ca_certs);
+    }
 #endif  // HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
   }