archive/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-08-15 13:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
node/test/parallel/test-tls-set-default-ca-certificates-reset-fetch.mjs
Joyee Cheung edd66d0130
crypto: add tls.setDefaultCACertificates() 
This API allows dynamically configuring CA certificates that
will be used by the Node.js TLS clients by default.

Once called, the provided certificates will become the default CA
certificate list returned by `tls.getCACertificates('default')` and
used by TLS connections that don't specify their own CA certificates.

This function only affects the current Node.js thread.

PR-URL: https://github.com/nodejs/node/pull/58822
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
2025-07-18 19:57:53 +00:00

47 lines
1.5 KiB
JavaScript
Raw Permalink Blame History

// Flags: --no-use-system-ca
// This tests appending certificates to existing defaults should work correctly
// with fetch.
import * as common from '../common/index.mjs';
import { once } from 'node:events';
import * as fixtures from '../common/fixtures.mjs';
import assert from 'node:assert';
if (!common.hasCrypto) common.skip('missing crypto');
const { default: https } = await import('node:https');
const { default: tls } = await import('node:tls');
// Test HTTPS connection fails with bundled CA, succeeds after adding custom CA.
const server = https.createServer({
cert: fixtures.readKey('agent8-cert.pem'),
key: fixtures.readKey('agent8-key.pem'),
}, common.mustCall((req, res) => {
res.writeHead(200);
res.end('hello world');
}, 1));
server.listen(0);
await once(server, 'listening');
const fixturesCert = fixtures.readKey('fake-startcom-root-cert.pem');
tls.setDefaultCACertificates([fixturesCert]);
// First, verify connection works with custom CA.
const response1 = await fetch(`https://localhost:${server.address().port}/custom-ca-test`);
assert.strictEqual(response1.status, 200);
const text1 = await response1.text();
assert.strictEqual(text1, 'hello world');
// Now set empty CA store - connection should fail.
tls.setDefaultCACertificates([]);
// Use IP address to skip session cache.
await assert.rejects(
fetch(`https://127.0.0.1:${server.address().port}/empty-ca-test`),
(err) => {
assert.strictEqual(err.cause.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
return true;
},
);
server.close();
Reference in a new issue View git blame Copy permalink