From ed2b7d95c2392d310e4043f94bb6e5bc9d4ca41b Mon Sep 17 00:00:00 2001 From: fast0490f Date: Wed, 16 Mar 2016 16:31:01 +0300 Subject: [PATCH] tls: Use system's openssl.cnf for OpenSSL configuration. --- doc/api/tls.markdown | 16 ++++++++++++++++ src/node.cc | 10 +++++++++- src/node.h | 6 +++++- src/node_crypto.cc | 7 +++++++ 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index ef1c7fc32bdd9f..dd0aa7f97bf03d 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -87,6 +87,22 @@ To test the server, connect to it with `openssl s_client -connect address:port` and tap `R` (i.e., the letter `R` followed by a carriage return) a few times. +## Use system default OpenSSL configuration + +Use the `--openssl-system-conf` command line switch to force Node.js use system +default configuration for OpenSSL. + +``` +node --openssl-system-conf +``` + +When Node.js is run with this switch, OpenSSL is initialized with the +configuration file specified in the OPENSSL_CONF environment variable, and if +that is not set then a system default configuration file location is used. +See [OPENSSL_config] +(https://www.openssl.org/docs/manmaster/crypto/OPENSSL_config.html) +for defails. + ## Modifying the Default TLS Cipher suite Node.js is built with a default suite of enabled and disabled TLS ciphers. diff --git a/src/node.cc b/src/node.cc index 86b5276226ef1d..d38c19446fbfa4 100644 --- a/src/node.cc +++ b/src/node.cc @@ -164,10 +164,14 @@ static const char* icu_data_dir = nullptr; // used by C++ modules as well bool no_deprecation = false; -#if HAVE_OPENSSL && NODE_FIPS_MODE +#if HAVE_OPENSSL +// used by crypto module +bool openssl_system_conf = false; +# if NODE_FIPS_MODE // used by crypto module bool enable_fips_crypto = false; bool force_fips_crypto = false; +# endif #endif // process-relative uptime base, initialized at start-up @@ -3320,6 +3324,8 @@ static void PrintHelp() { " --v8-options print v8 command line options\n" #if HAVE_OPENSSL " --tls-cipher-list=val use an alternative default TLS cipher list\n" + " --openssl-system-conf use system's openssl.cnf for OpenSSL\n" + " configuration\n" #if NODE_FIPS_MODE " --enable-fips enable FIPS crypto at startup\n" " --force-fips force FIPS crypto (cannot be disabled)\n" @@ -3468,6 +3474,8 @@ static void ParseArgs(int* argc, #if HAVE_OPENSSL } else if (strncmp(arg, "--tls-cipher-list=", 18) == 0) { default_cipher_list = arg + 18; + } else if (strcmp(arg, "--openssl-system-conf") == 0) { + openssl_system_conf = true; #if NODE_FIPS_MODE } else if (strcmp(arg, "--enable-fips") == 0) { enable_fips_crypto = true; diff --git a/src/node.h b/src/node.h index 59df8e18b4f626..62c0de3a4f0b88 100644 --- a/src/node.h +++ b/src/node.h @@ -179,9 +179,13 @@ typedef intptr_t ssize_t; namespace node { NODE_EXTERN extern bool no_deprecation; -#if HAVE_OPENSSL && NODE_FIPS_MODE + +#if HAVE_OPENSSL +NODE_EXTERN extern bool openssl_system_conf; +# if NODE_FIPS_MODE NODE_EXTERN extern bool enable_fips_crypto; NODE_EXTERN extern bool force_fips_crypto; +# endif #endif NODE_EXTERN int Start(int argc, char *argv[]); diff --git a/src/node_crypto.cc b/src/node_crypto.cc index a62818942bf94f..37836375e0aebf 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -5644,6 +5644,13 @@ void ExportChallenge(const FunctionCallbackInfo& args) { void InitCryptoOnce() { +#ifdef HAVE_OPENSSL + // Use system's openssl.cnf for OpenSSL configuration + if (openssl_system_conf) { + OPENSSL_config(nullptr); + } +#endif // HAVE_OPENSSL + SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings();