Skip to content

tls: include OpenSSL CAs in default CA list#64269

Open
Archkon wants to merge 3 commits into
nodejs:mainfrom
Archkon:tls
Open

tls: include OpenSSL CAs in default CA list#64269
Archkon wants to merge 3 commits into
nodejs:mainfrom
Archkon:tls

Conversation

@Archkon

@Archkon Archkon commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Fixes: #64258

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings labels Jul 3, 2026
Comment thread src/crypto/crypto_context.cc
Comment thread doc/api/tls.md Outdated
Archkon added 2 commits July 5, 2026 02:30
  When --use-openssl-ca is enabled, TLS clients use OpenSSL's
  default certificate locations, but tls.getCACertificates('default')
  did not include those certificates.

  Expose the enumerable OpenSSL default CA certificates through the
  crypto binding and include them in the default CA list returned by
  tls.getCACertificates('default').

  Also add regression coverage using SSL_CERT_FILE to avoid depending
  on the host system CA store.

Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. typings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls.getCACertificates("default") always returns an empty list when using --use-openssl-ca

3 participants