Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: check node_extra_ca_certs after openssl config #48159

Closed
wants to merge 1 commit into from

Conversation

ckcr4lyf
Copy link
Contributor

I recently discovered that the custom NodeJS specific OpenSSL config section in openssl.cnf would not be respected, if the environment variable NODE_EXTRA_CA_CERTS was set.

This happens even if it contains an invalid value, i.e no actual certs are read.

Someone suggested moving the checking of extra ca certs to after the OpenSSL config is read, and this seems to work.

I wasn't sure how to add a test for this directly into the repo, but as part of my bug report, I had constructed a test which attempts to make a TLS connection to the offending server with a custom OpenSSL config, once with NODE_EXTRA_CA_CERTS set to "" , and once with a dummy value (e.g /dev/null)

To test this change, I build node with the patch and made published it as a container (you can see dockerfile & patch here: https://github.com/ckcr4lyf/no-rfc5746/tree/master/patched_node)

I then updated my tests to load the custom SSL config into this patched node and try the same test, and it passes both cases now!

An example run can be found here: https://github.com/ckcr4lyf/no-rfc5746/actions/runs/5071123450

Note: I am testing the node's usage of the custom SSL config by providing a non-default legacy renegotiation option, and then connecting to a mocked server where I handcraft this insecure ServerHello.

Fixes #48143

I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/startup

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels May 24, 2023
@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label May 24, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label May 24, 2023
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51963/

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mhdawson pushed a commit that referenced this pull request May 26, 2023
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: #48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
@mhdawson
Copy link
Member

Landed as be469d8

@mhdawson mhdawson closed this May 26, 2023
targos pushed a commit that referenced this pull request May 30, 2023
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: #48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
@targos targos mentioned this pull request Jun 4, 2023
danielleadams pushed a commit that referenced this pull request Jul 6, 2023
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: #48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
MoLow pushed a commit to MoLow/node that referenced this pull request Jul 6, 2023
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: nodejs#48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: nodejs#48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
I recently discovered that the custom NodeJS specific OpenSSL
config section in openssl.cnf would not be respected, if the
environment variable `NODE_EXTRA_CA_CERTS` was set.

This happens even if it contains an invalid value, i.e no actual
certs are read.

Someone suggested moving the checking of extra ca certs to after
the OpenSSL config is read, and this seems to work.

PR-URL: nodejs#48159
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

NODE_EXTRA_CA_CERTS option seems to conflict with custom OpenSSL config
6 participants