If you're trying to lock down your SSL connections, you want the CA certs you provide to supplant the built-in ones, or else you have no way of removing CAs you don't trust. It's kind of annoying that there's not any way to just add a single CA to a request, but at least you have control over which CAs you want to use on a per-request basis.
Node uses the Mozilla CA store, and they're compiled directly into the node binary (along with the JS code for node's standard modules). The cert store is available with Node's source (src/node_root_certs.h), or can be downloaded directly from Mozilla and postprocessed into PEM files. On Thursday, March 6, 2014, AJ ONeal <[email protected]> wrote: > On Thu, Mar 6, 2014 at 6:09 PM, Kevin Ingwersen > <[email protected]<javascript:_e(%7B%7D,'cvml','[email protected]');> > > wrote: > >> I dont know what you actually mean by CA - but. >> >> > https.globalAgent.options >> {} >> >> This comes up in the node REPL, and it clearly shows an empty object - >> there is no 'ca' entry. What would be the expected output here? (btw - node >> 0.10.24) >> > > When you buy one of the cheaper SSL certificates it will work in browsers > and most mobile phones, which are updated frequently, but it may not work > in, say, Ubuntu 12.04 LTS. > > So when you are trying to correct to a site with a relatively new cert > that's on the bottom tier (signed by several intermediate certificates) you > have to manually add the CA pem files to the chain yourself or you get > errors like CERT_UNTRUSTED. > > I'm no SSL expert, this is just what I've learned from buying a RapidSSL > certificate. > > Originally I got the error UNABLE_TO_VERIFY_LEAF_SIGNATURE, which I was > able to rectify by adding the RapidSSL CAs to the chain, but doing so > knocked out all of the other CAs. > > So I can connect to Facebook, which uses a certificate that's in the chain > RapidSSL uses, but I can't connect to Twitter or Stripe, which use > certificate chains that stem from other SSL cert issuing companies. > > AJ ONeal > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to > [email protected]<javascript:_e(%7B%7D,'cvml','[email protected]');> > To unsubscribe from this group, send email to > [email protected]<javascript:_e(%7B%7D,'cvml','nodejs%[email protected]');> > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]<javascript:_e(%7B%7D,'cvml','nodejs%[email protected]');> > . > For more options, visit https://groups.google.com/d/optout. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
