Tracking issue: custom CA certificate support

[joyeecheung]

Trying to track the recent changes that allow easier configuration of custom CA certificate for constrained environments and the backports

• Support --use-system-ca for macOS feat: added support for reading certificates from macOS system store #56599
• Support --use-system-ca for Windows crypto: support --use-system-ca on Windows #56833
• Support --use-system-ca for other Unix-like platforms: crypto: support --use-system-ca on non-Windows and non-macOS #57009
• JS API to query CA certificates: tls: implement tls.getCACertificates() #57107
• JS API to configure the CA certificates crypto: add tls.setDefaultCACertificates() #58822
• Encouraging use of --use-system-ca in certificate errors: Suggest --use-system-ca when a certificate error occurs #57362
• Fixing leak of --use-system-ca crypto: fix X509* leak in --use-system-ca #56832
• Add NODE_USE_SYSTEM_CA=1 cli: add NODE_USE_SYSTEM_CA=1 #59276
• Load system CA certificates off thread crypto: load system CA certificates off thread #59550
• Only load certificates off thread when tls is used tls: only do off-thread certificate loading on loading tls #59856
• Implement certificate distrust on Windows to match Chromium's policy:

  node/src/crypto/crypto_context.cc

  Lines 647 to 648 in 5623194

  	// TODO(joyeecheung): match Chromium's policy, collect more certificates
  	// from user-added CAs and support disallowed (revoked) certificates.

• Make --use-system-ca a per-env option so that workers can enable/disable them individually

  node/src/node.cc

  Lines 872 to 873 in b13f24c

  	// TODO(joyeecheung): make this a per-env option and move the normalization
  	// into HandleEnvOptions.

• Make NODE_USE_SYSTEM_CA=0 disable system CA if it gets enabled by default
• Provide a build-time option to enable --use-system-ca by default
• Enable --use-system-ca by default

[gengjiawen]

will use-system-ca default to true in next major ?

Node.js is the only software I know doesn't respect system CA, really weird behavior.

[joyeecheung]

Currently this still has a non-trivial performance overhead on the first TLS connection. We'll need to check and see if that can be mitigated or reduced.

[EmperorArthur]

Node.js is the only software I know doesn't respect system CA, really weird behavior.

Python requires that trustore be installed, and pip only recently stopped requiring an experimental flag.

I do agree it's a bit of a pain though. Especially in corporate environments.

[joyeecheung]

I found a way to minimize the performance impact - #59550 with this I think there would be a much smaller performance impact to enable it by default.

[amilshahsahab]

Trying to track the recent changes that allow easier configuration of custom CA certificate for constrained environments and the backports

• Support --use-system-ca for macOS feat: added support for reading certificates from macOS system store #56599[x] Support --use-system-ca for Windows crypto: support --use-system-ca on Windows #56833[x] Support --use-system-ca for other Unix-like platforms: crypto: support --use-system-ca on non-Windows and non-macOS #57009[x] JS API to query CA certificates: tls: implement tls.getCACertificates() #57107[x] JS API to configure the CA certificates crypto: add tls.setDefaultCACertificates() #58822[x] Encouraging use of --use-system-ca in certificate errors: Suggest --use-system-ca when a certificate error occurs #57362[x] Fixing leak of --use-system-ca crypto: fix X509* leak in --use-system-ca #56832[x] Add NODE_USE_SYSTEM_CA=1 cli: add NODE_USE_SYSTEM_CA=1 #59276

#59276 (comment)