Since this is a fairly common problem popping up on the node mailing list and stackoverflow (as evidenced in my googling), I decided to create a module from your gist and give the tl;dr explanation along with an example:
https://github.com/coolaj86/node-ssl-root-cas I've listed you in the AUTHORS file and referenced this thread. :-) AJ ONeal (317) 426-6525 On Fri, Mar 7, 2014 at 11:42 AM, Forrest L Norvell <[email protected]>wrote: > I needed to figure out how to parse Mozilla's format recently, so here's a > Node program that downloads the CA store from Mozilla and outputs a Node > module that exports the complete certificate bundle: > > https://gist.github.com/othiym23/9417004 > > My script is derived from another script that is in turn derived from this > script from the cURL project: > > https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl > > The URL is in the scripts (and also in src/node_root_certificates.h's > header, BTW). > > F > > > > On Fri, Mar 7, 2014 at 10:16 AM, AJ ONeal <[email protected]> wrote: > >> Hey Forrest, >> >> Can you point me to the place I can download that Mozilla CA store and >> tell me enough about how to convert it to PEM? I'm assuming I'd use >> openssl, but if you have any idea of what the source format is called or >> any special options I'd need to pass, that would be amazing. >> >> AJ ONeal >> (317) 426-6525 >> >> >> On Fri, Mar 7, 2014 at 2:58 AM, Forrest L Norvell >> <[email protected]>wrote: >> >>> If you're trying to lock down your SSL connections, you want the CA >>> certs you provide to supplant the built-in ones, or else you have no way of >>> removing CAs you don't trust. It's kind of annoying that there's not any >>> way to just add a single CA to a request, but at least you have control >>> over which CAs you want to use on a per-request basis. >>> >>> Node uses the Mozilla CA store, and they're compiled directly into the >>> node binary (along with the JS code for node's standard modules). The cert >>> store is available with Node's source (src/node_root_certs.h), or can be >>> downloaded directly from Mozilla and postprocessed into PEM files. >>> >>> >>> On Thursday, March 6, 2014, AJ ONeal <[email protected]> wrote: >>> >>>> On Thu, Mar 6, 2014 at 6:09 PM, Kevin Ingwersen < >>>> [email protected]> wrote: >>>> >>>>> I dont know what you actually mean by CA - but. >>>>> >>>>> > https.globalAgent.options >>>>> {} >>>>> >>>>> This comes up in the node REPL, and it clearly shows an empty object - >>>>> there is no 'ca' entry. What would be the expected output here? (btw - >>>>> node >>>>> 0.10.24) >>>>> >>>> >>>> When you buy one of the cheaper SSL certificates it will work in >>>> browsers and most mobile phones, which are updated frequently, but it may >>>> not work in, say, Ubuntu 12.04 LTS. >>>> >>>> So when you are trying to correct to a site with a relatively new cert >>>> that's on the bottom tier (signed by several intermediate certificates) you >>>> have to manually add the CA pem files to the chain yourself or you get >>>> errors like CERT_UNTRUSTED. >>>> >>>> I'm no SSL expert, this is just what I've learned from buying a >>>> RapidSSL certificate. >>>> >>>> Originally I got the error UNABLE_TO_VERIFY_LEAF_SIGNATURE, which I >>>> was able to rectify by adding the RapidSSL CAs to the chain, but doing so >>>> knocked out all of the other CAs. >>>> >>>> So I can connect to Facebook, which uses a certificate that's in the >>>> chain RapidSSL uses, but I can't connect to Twitter or Stripe, which use >>>> certificate chains that stem from other SSL cert issuing companies. >>>> >>>> AJ ONeal >>>> >>>> -- >>>> -- >>>> Job Board: http://jobs.nodejs.org/ >>>> Posting guidelines: >>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> [email protected] >>>> For more options, visit this group at >>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
