Skip to content

Commit

Permalink
src,doc,test: add --openssl-shared-config option
Browse files Browse the repository at this point in the history
This commit adds a new command line option named
'--openssl-shared-config' intended to allow reverting to the old OpenSSL
configuration behavior where Node.js would use the configuration section
name (called appname in OpenSSL) 'openssl_conf' which could potentially
be used my other applications..

PR-URL: #43124
Refs: #40366
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
  • Loading branch information
danbev authored and danielleadams committed Jun 11, 2022
1 parent f7ce90b commit b2fce3f
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 1 deletion.
16 changes: 16 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -779,6 +779,21 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.

### `--openssl-shared-config`

<!-- YAML
added: REPLACEME
-->

Enable OpenSSL default configuration section, `openssl_conf` to be read from
the OpenSSL configuration file. The default configuration file is named
`openssl.cnf` but this can be changed using the environment variable
`OPENSSL_CONF`, or by using the command line option `--openssl-config`.
The location of the default OpenSSL configuration file depends on how OpenSSL
is being linked to Node.js. Sharing the OpenSSL configuration may have unwanted
implications and it is recommended to use a configuration section specific to
Node.js which is `nodejs_conf` and is default when this option is not used.

### `--openssl-legacy-provider`

<!-- YAML
Expand Down Expand Up @@ -1671,6 +1686,7 @@ Node.js options that are allowed are:
* `--node-memory-debug`
* `--openssl-config`
* `--openssl-legacy-provider`
* `--openssl-shared-config`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
Expand Down
7 changes: 6 additions & 1 deletion src/node.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1092,8 +1092,13 @@ InitializationResult InitializeOncePerProcess(
// to be loaded, but the default section in that file will not be used,
// instead only the section that matches the value of conf_section_name
// will be read from the default configuration file.
// fprintf(stderr, "appanme: %s\n", conf_section_name);
const char* conf_file = nullptr;
// To allow for using the previous default where the 'openssl_conf' appname
// was used, the command line option 'openssl-shared-config' can be used to
// force the old behavior.
if (per_process::cli_options->openssl_shared_config) {
conf_section_name = "openssl_conf";
}
// Use OPENSSL_CONF environment variable is set.
std::string env_openssl_conf;
credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);
Expand Down
4 changes: 4 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -869,6 +869,10 @@ PerProcessOptionsParser::PerProcessOptionsParser(
"enable OpenSSL 3.0 legacy provider",
&PerProcessOptions::openssl_legacy_provider,
kAllowedInEnvironment);
AddOption("--openssl-shared-config",
"enable OpenSSL shared configuration",
&PerProcessOptions::openssl_shared_config,
kAllowedInEnvironment);

#endif // OPENSSL_VERSION_MAJOR
AddOption("--use-largepages",
Expand Down
1 change: 1 addition & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,7 @@ class PerProcessOptions : public Options {
#endif
#if OPENSSL_VERSION_MAJOR >= 3
bool openssl_legacy_provider = false;
bool openssl_shared_config = false;
#endif

// Per-process because reports can be triggered outside a known V8 context.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {

if (!common.hasOpenSSL3) {
documented.delete('--openssl-legacy-provider');
documented.delete('--openssl-shared-config');
}

// Filter out options that are conditionally present.
Expand All @@ -55,6 +56,7 @@ const conditionalOpts = [
return [
'--openssl-config',
common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
common.hasOpenSSL3 ? '--openssl-shared-config' : '',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',
Expand Down

0 comments on commit b2fce3f

Please sign in to comment.