Use the certificate provided by the node.js #301
Conversation
shibd
requested review from
BewareMyPower,
eolivelli,
nicoloboschi and
RobertIndie
|
I suggest we should built-in the cacert. In the |
Since Node.js already has built-in certificates, we don't need to make a copy in our repository, we just need to use it when installing. |
* Use the certificate provided by the node.js. * Gen cert file when npm install. * Certificate generation is performed only once * Fix code reviews. (cherry picked from commit a89b64f)
|
Great work! I would like to reiterate that it is better that we don't bundle a CAcert file statically, in that case we would take responsibility on the contents of the files and to maintain the file. This is a burden that the Pulsar project couldn't bear. The approach on this patch is perfect |
| } | ||
|
|
||
| static genCertFile() { | ||
| fs.rmSync(certsFilePath, { force: true }); |
There was a problem hiding this comment.
What happens if you bootstrap two clients on the same machine?
Will they use the same file?
Also, we need to set permissions appropriately on this file, otherwise other users may override the contents and lead to a security hole
There was a problem hiding this comment.
What happens if you bootstrap two clients on the same machine?
Will they use the same file?
The file is generated only once at installation time.
If pulsar-client is the global install, they will use the same file.
If pulsar-client is not installed globally, each project generates files and uses them separately.
Also, we need to set permissions appropriately on this file, otherwise other users may override the contents and lead to a security hole
How do I set permissions? I don't think it's necessary, just like the default /etc/ssl/cert.pem file in linux, users can override it too, right?
There was a problem hiding this comment.
The permission of ca-certificates.crt on Linux is:
$ ls -lh /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 191K Feb 7 15:20 /etc/ssl/certs/ca-certificates.crtBut I don't think we need to change the permission. Because this file would be installed under node_modules/ in the project directory. The owner is who ran npm install. It would be that user's fault if the permission was overridden by others.
We are using the Mozilla CA file provided by Node.js
Yes, when the user installed BTW: Since the CPP client can't set cert content direct, we first need to write the certificate content to a file and pass in the path to the CPP client. |
|
@shibd I think that we need to add the CAcerts notice to the README.md, so like: CA certificatesWe are using the Mozilla CA file provided by Node.js |
Master Issue: #281
Motivation
After 1.8.0, we helped users precompile CPP, resulting in users not being able to obtain system certificates when using TLS-related functions.
Current usage issues list reference: https://github.com/BewareMyPower/pulsar-tls-examples
Node.js provides bundled Mozilla CA, which we can use by default.
Modifications
tlsTrustCertsFilePathis empty.Verifying this change
You can clone the repository installation and verify:
The environment I currently verified passed is:
Documentation
doc-required(Your PR needs to update docs and you will update later)
doc-not-needed(Please explain why)
doc(Your PR contains doc changes)
doc-complete(Docs have been already added)