tls: Use system's openssl.cnf for OpenSSL configuration

doc/api/tls.markdown

@@ -87,6 +87,22 @@ To test the server, connect to it with `openssl s_client -connect address:port`
 and tap `R<CR>` (i.e., the letter `R` followed by a carriage return) a few
 times.
 
+## Use system default OpenSSL configuration
+
+Use the `--openssl-system-conf` command line switch to force Node.js use system
+default configuration for OpenSSL.
+
+```
+node --openssl-system-conf
+```
+
+When Node.js is run with this switch, OpenSSL is initialized with the
+configuration file specified in the OPENSSL_CONF environment variable, and if
+that is not set then a system default configuration file location is used.
+See [OPENSSL_config]
+(https://www.openssl.org/docs/manmaster/crypto/OPENSSL_config.html)
+for defails.
+
 ## Modifying the Default TLS Cipher suite
 
 Node.js is built with a default suite of enabled and disabled TLS ciphers.

src/node.cc

@@ -164,10 +164,14 @@ static const char* icu_data_dir = nullptr;
 // used by C++ modules as well
 bool no_deprecation = false;
 
-#if HAVE_OPENSSL && NODE_FIPS_MODE
+#if HAVE_OPENSSL
+// used by crypto module
+bool openssl_system_conf = false;
+# if NODE_FIPS_MODE
 // used by crypto module
 bool enable_fips_crypto = false;
 bool force_fips_crypto = false;
+# endif
 #endif
 
 // process-relative uptime base, initialized at start-up
@@ -3320,6 +3324,8 @@ static void PrintHelp() {
          "  --v8-options          print v8 command line options\n"
 #if HAVE_OPENSSL
          "  --tls-cipher-list=val use an alternative default TLS cipher list\n"
+         "  --openssl-system-conf use system's openssl.cnf for OpenSSL\n"
+         "                        configuration\n"
 #if NODE_FIPS_MODE
          "  --enable-fips         enable FIPS crypto at startup\n"
          "  --force-fips          force FIPS crypto (cannot be disabled)\n"
@@ -3468,6 +3474,8 @@ static void ParseArgs(int* argc,
 #if HAVE_OPENSSL
     } else if (strncmp(arg, "--tls-cipher-list=", 18) == 0) {
       default_cipher_list = arg + 18;
+    } else if (strcmp(arg, "--openssl-system-conf") == 0) {
+      openssl_system_conf = true;
 #if NODE_FIPS_MODE
     } else if (strcmp(arg, "--enable-fips") == 0) {
       enable_fips_crypto = true;

src/node.h

@@ -179,9 +179,13 @@ typedef intptr_t ssize_t;
 namespace node {
 
 NODE_EXTERN extern bool no_deprecation;
-#if HAVE_OPENSSL && NODE_FIPS_MODE
+
+#if HAVE_OPENSSL
+NODE_EXTERN extern bool openssl_system_conf;
+# if NODE_FIPS_MODE
 NODE_EXTERN extern bool enable_fips_crypto;
 NODE_EXTERN extern bool force_fips_crypto;
+# endif
 #endif
 
 NODE_EXTERN int Start(int argc, char *argv[]);

src/node_crypto.cc

@@ -5644,6 +5644,13 @@ void ExportChallenge(const FunctionCallbackInfo<Value>& args) {
 
 
 void InitCryptoOnce() {
+#ifdef HAVE_OPENSSL
+  // Use system's openssl.cnf for OpenSSL configuration
+  if (openssl_system_conf) {
+    OPENSSL_config(nullptr);
+  }
+#endif  // HAVE_OPENSSL
+
   SSL_library_init();
   OpenSSL_add_all_algorithms();
   SSL_load_error_strings();