Fix CA certificates #189
Fix CA certificates #189
Conversation
| @@ -0,0 +1,147 @@ | |||
| /* | |||
There was a problem hiding this comment.
consider your repo as a module.
{
"dependencies": {
/* ... */,
"node-load-cert-dir": "github:throwaway96/node-load-cert-dir"
}
}There was a problem hiding this comment.
You think the separate module is cleaner? There are advantages, I guess...
Note: I used a module for v0.6.4-test21; see 5c19c0f. (That was before I switched to the Mozilla CA cert bundle.)
There was a problem hiding this comment.
If you do it this way, it should be pinned to a specific commit. Part of me feels like it's better off just living in this repo, but it could be useful to other WebOS apps.
There was a problem hiding this comment.
You think the separate module is cleaner? There are advantages, I guess...
well, if you want to make changes, then you need to manually keep the repository and module in sync.
There was a problem hiding this comment.
If you do it this way, it should be pinned to a specific commit. Part of me feels like it's better off just living in this repo, but it could be useful to other WebOS apps.
you can also use tags. latest is quite suitable. ;P
throwaway96
force-pushed
the
cert-fix-2-20240609
branch
from
10ed3ba
to
9fa72be
Compare
This should work on all webOS versions. It loads certificates from the Mozilla CA cert bundle. Users may add additional certs by placing PEM-encoded files in the "certs" directory.
The
nodebinary contains a built-in set of trusted CA certificates that never gets updated. Therefore, Node.js services are stuck using whatever certs were bundled when that potentially ancient Node version was released.Newer versions of Node.js (on webOS 5+) support the
--use-openssl-caoption, which makesnodeuse/etc/ssl/certsinstead of its own bundle—but that doesn't help us on older versions. Indeed, there doesn't seem to be a clean way to fix this globally on Node 0.10.x and 0.12.x. So, I ended up creating a wrapper aroundfetch()that controls what certificates it trusts.All PEM certs in
<service dir>/certswill be treated as trusted. I have included the Mozilla CA cert bundle from curl, but users can also add additional certs. If people don't think that's useful, I could simplify the code by just loading a single file (which users could still modify). We could also theoretically just embed the certs in a JS file and avoid the "parsing" part altogether, but that would significantly reduce flexibility.While testing this on webOS 1, I was able to download and install Kodi and apps hosted on GitHub. It could use more testing on other webOS versions. It's not perfect, but I'm tired. And I want to get a release out this year.