-
-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CA certificates #189
base: main
Are you sure you want to change the base?
Fix CA certificates #189
Conversation
@@ -0,0 +1,147 @@ | |||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consider your repo as a module.
{
"dependencies": {
/* ... */,
"node-load-cert-dir": "github:throwaway96/node-load-cert-dir"
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You think the separate module is cleaner? There are advantages, I guess...
Note: I used a module for v0.6.4-test21; see 5c19c0f. (That was before I switched to the Mozilla CA cert bundle.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you do it this way, it should be pinned to a specific commit. Part of me feels like it's better off just living in this repo, but it could be useful to other WebOS apps.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You think the separate module is cleaner? There are advantages, I guess...
well, if you want to make changes, then you need to manually keep the repository and module in sync.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you do it this way, it should be pinned to a specific commit. Part of me feels like it's better off just living in this repo, but it could be useful to other WebOS apps.
you can also use tags. latest
is quite suitable. ;P
10ed3ba
to
9fa72be
Compare
This should work on all webOS versions. It loads certificates from the Mozilla CA cert bundle. Users may add additional certs by placing PEM-encoded files in the "certs" directory.
The
node
binary contains a built-in set of trusted CA certificates that never gets updated. Therefore, Node.js services are stuck using whatever certs were bundled when that potentially ancient Node version was released.Newer versions of Node.js (on webOS 5+) support the
--use-openssl-ca
option, which makesnode
use/etc/ssl/certs
instead of its own bundle—but that doesn't help us on older versions. Indeed, there doesn't seem to be a clean way to fix this globally on Node 0.10.x and 0.12.x. So, I ended up creating a wrapper aroundfetch()
that controls what certificates it trusts.All PEM certs in
<service dir>/certs
will be treated as trusted. I have included the Mozilla CA cert bundle from curl, but users can also add additional certs. If people don't think that's useful, I could simplify the code by just loading a single file (which users could still modify). We could also theoretically just embed the certs in a JS file and avoid the "parsing" part altogether, but that would significantly reduce flexibility.While testing this on webOS 1, I was able to download and install Kodi and apps hosted on GitHub. It could use more testing on other webOS versions. It's not perfect, but I'm tired. And I want to get a release out this year.