Skip to content

Make --use-system-ca per-env rather than per-process #60678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aditi-1400 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Make --use-system-ca per-env rather than per-process #60678

Aditi-1400 wants to merge 1 commit into from
+344 −75

Conversation

@Aditi-1400
Copy link
Contributor

@Aditi-1400 Aditi-1400 commented Nov 11, 2025
edited
Loading

Makes the --use-system-ca option a per-environment option rather than a per-process option so that workers can enable/disable them individually

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 11, 2025

Review requested:

  • @nodejs/config
  • @nodejs/crypto
  • @nodejs/startup

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Nov 11, 2025
@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 2 times, most recently from d87558c to 23473b9 Compare November 11, 2025 10:28
@joyeecheung
Copy link
Member

joyeecheung commented Nov 11, 2025
edited
Loading

Hmm, I think this may need more work than just updating the options - the implication of being per-env is that each worker would then be able to toggle this independently. Say when the main thread does not enable it but a worker does, then the worker will have the system CA certs in their default store but the parent doesn't. Can you add a test for this, and the other way around (parent enables it, worker disables it)? My impression is that the default store initialisation code is not yet ready for this and it's still shared across the process (so if a worker enables it, suddenly the parent get it too, which would be unexpected).

@codecov
Copy link

codecov bot commented Nov 11, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 72.46377% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.74%. Comparing base (37e4004) to head (5d7dc6b).
⚠️ Report is 11 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 70.76% 9 Missing and 10 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #60678      +/-   ##
==========================================
- Coverage   89.78%   89.74%   -0.04%     
==========================================
  Files         673      673              
  Lines      203775   203853      +78     
  Branches    39166    39178      +12     
==========================================
  Hits       182956   182956              
- Misses      13139    13199      +60     
- Partials     7680     7698      +18
Files with missing lines Coverage Δ
src/crypto/crypto_common.cc 77.47% <100.00%> (ø)
src/crypto/crypto_context.h 100.00% <ø> (ø)
src/node.cc 75.93% <ø> (-0.16%) ⬇️
src/node_options.cc 77.91% <100.00%> (+0.02%) ⬆️
src/node_options.h 97.89% <100.00%> (ø)
src/crypto/crypto_context.cc 70.98% <70.76%> (+0.14%) ⬆️

... and 45 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 2 times, most recently from f22457c to 780c272 Compare December 2, 2025 14:16
@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 4 times, most recently from 38913f9 to d9fb49d Compare December 12, 2025 18:05
joyeecheung
joyeecheung reviewed Jan 6, 2026
View reviewed changes
Copy link
Member

@joyeecheung joyeecheung left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add some tests to test/parallel that checks this affects tls.getCACertificates('default') in a worker if tls.getCACertificates('system') returns non-empty in a parent? (if there are no system CAs in the testing machine, then the test can be skipped - that way it can run even without the mock certificates installed)

@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 2 times, most recently from 77856be to d8281c4 Compare January 15, 2026 13:56
@joyeecheung joyeecheung mentioned this pull request Jan 15, 2026
Open
15 tasks
joyeecheung
joyeecheung reviewed Jan 23, 2026
View reviewed changes
joyeecheung
joyeecheung reviewed Jan 30, 2026
View reviewed changes
src/crypto/crypto_context.cc
}

Environment* env = Environment::GetCurrent(args);
const bool use_system_ca = env != nullptr && env->options()->use_system_ca;
Copy link
Member

@joyeecheung joyeecheung Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a bit of log here to check whether it's hit on the env == nullptr path.

Suggested change
const bool use_system_ca = env != nullptr && env->options()->use_system_ca;
const bool use_system_ca = env != nullptr && env->options()->use_system_ca;
per_process::Debug(DebugCategory::CRYPTO,
"StartLoadingCertificatesOffThread env=%p\n", env);

src/crypto/crypto_context.cc
if (tried_cert_loading_off_thread.load() &&
cert_loading_thread_started.load()) {
uv_thread_join(&cert_loading_thread);
// Serialize with starters to avoid the race window.
Copy link
Member

@joyeecheung joyeecheung Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we now need to move the thread joining code before the freeing code to avoid races.

src/crypto/crypto_context.cc
per_process::cli_options->per_isolate->per_env->use_system_ca;
}
}
if (ssl_openssl_cert_store) {
Copy link
Member

@joyeecheung joyeecheung Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also now need to add EnvironmentOptions::CheckOptions to validate that --use-openssl-ca and --use-system-ca are mutually exclusive and error out when they are both set. Can you also add a test for it?

src/node_options.cc
env_options->use_env_proxy = opt_getter("NODE_USE_ENV_PROXY") == "1";

#if HAVE_OPENSSL
env_options->use_system_ca = opt_getter("NODE_USE_SYSTEM_CA") == "1";
Copy link
Member

@joyeecheung joyeecheung Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test for the per-worker env var NODE_USE_SYSTEM_CA? And that --no-use-system-ca overrides it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joyeecheung joyeecheung joyeecheung left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aditi-1400 @nodejs-github-bot @joyeecheung