How to append to global CAs, rather than replace them?

4,231 views
Skip to first unread message

AJ ONeal

unread,
Mar 6, 2014, 7:17:07 PM3/6/14
to node.js mailing list
So it turns out that when I do this

It knocks out all of the well-known CAs and then I can't connect to Twitter, Stripe, etc.

Is it possible to append instead of replace?

If not, where do I find the pem files to read back in?


AJ ONeal

Kevin Ingwersen

unread,
Mar 6, 2014, 7:30:16 PM3/6/14
to nod...@googlegroups.com
Sounds to me like its an array/object, so try this:

https.globalAgent.options.ca[] = lesserKnownCas;

That will add an entry into the array.
--



AJ ONeal

unread,
Mar 6, 2014, 8:06:03 PM3/6/14
to node.js mailing list
Nope. This is my actual code:

https.globalAgent.options.ca = https.globalAgent.options.ca || [];
https.globalAgent.options.ca = https.globalAgent.options.ca.concat(lesserKnownCas);

It starts out as undefined, which is why it's very odd to me that defining it kills it.

AJ ONeal

AJ ONeal

unread,
Mar 6, 2014, 8:07:23 PM3/6/14
to node.js mailing list
If I could find the directory that has all of the CAs and read them in, that would work just fine, but I don't think there is such a directory. I think it's built into a binary somewhere.

Kevin Ingwersen

unread,
Mar 6, 2014, 8:09:33 PM3/6/14
to nod...@googlegroups.com
I dont know what you actually mean by CA - but.

> https.globalAgent.options
{}

This comes up in the node REPL, and it clearly shows an empty object - there is no ‚ca‘ entry. What would be the expected output here? (btw - node 0.10.24)
Am 07.03.2014 um 02:07 schrieb AJ ONeal <cool...@gmail.com>:

> If I could find the directory that has all of the CAs and read them in, that would work just fine, but I don't think there is such a directory. I think it's built into a binary somewhere.
>
> --



AJ ONeal

unread,
Mar 6, 2014, 8:20:38 PM3/6/14
to node.js mailing list
On Thu, Mar 6, 2014 at 6:09 PM, Kevin Ingwersen <ingwi...@googlemail.com> wrote:
I dont know what you actually mean by CA - but.

> https.globalAgent.options
{}

This comes up in the node REPL, and it clearly shows an empty object - there is no 'ca' entry. What would be the expected output here? (btw - node 0.10.24)

When you buy one of the cheaper SSL certificates it will work in browsers and most mobile phones, which are updated frequently, but it may not work in, say, Ubuntu 12.04 LTS.

So when you are trying to correct to a site with a relatively new cert that's on the bottom tier (signed by several intermediate certificates) you have to manually add the CA pem files to the chain yourself or you get errors like CERT_UNTRUSTED.

I'm no SSL expert, this is just what I've learned from buying a RapidSSL certificate.

Originally I got the error UNABLE_TO_VERIFY_LEAF_SIGNATURE, which I was able to rectify by adding the RapidSSL CAs to the chain, but doing so knocked out all of the other CAs.

So I can connect to Facebook, which uses a certificate that's in the chain RapidSSL uses, but I can't connect to Twitter or Stripe, which use certificate chains that stem from other SSL cert issuing companies.

AJ ONeal 

Forrest L Norvell

unread,
Mar 7, 2014, 4:58:48 AM3/7/14
to nod...@googlegroups.com
If you're trying to lock down your SSL connections, you want the CA certs you provide to supplant the built-in ones, or else you have no way of removing CAs you don't trust. It's kind of annoying that there's not any way to just add a single CA to a request, but at least you have control over which CAs you want to use on a per-request basis.

Node uses the Mozilla CA store, and they're compiled directly into the node binary (along with the JS code for node's standard modules). The cert store is available with Node's source (src/node_root_certs.h), or can be downloaded directly from Mozilla and postprocessed into PEM files.
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

AJ ONeal

unread,
Mar 7, 2014, 1:16:04 PM3/7/14
to node.js mailing list, Forrest L Norvell
Hey Forrest,

Can you point me to the place I can download that Mozilla CA store and tell me enough about how to convert it to PEM? I'm assuming I'd use openssl, but if you have any idea of what the source format is called or any special options I'd need to pass, that would be amazing.

Forrest L Norvell

unread,
Mar 7, 2014, 1:42:20 PM3/7/14
to AJ ONeal, node.js mailing list
I needed to figure out how to parse Mozilla's format recently, so here's a Node program that downloads the CA store from Mozilla and outputs a Node module that exports the complete certificate bundle:


My script is derived from another script that is in turn derived from this script from the cURL project:


The URL is in the scripts (and also in src/node_root_certificates.h's header, BTW).

F

AJ ONeal

unread,
Mar 7, 2014, 7:31:14 PM3/7/14
to Forrest L Norvell, node.js mailing list
Since this is a fairly common problem popping up on the node mailing list and stackoverflow (as evidenced in my googling), I decided to create a module from your gist and give the tl;dr explanation along with an example:


I've listed you in the AUTHORS file and referenced this thread.

:-)

Reply all
Reply to author
Forward
0 new messages