Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to disable the default ca trust completely #34292

Closed
mdeknowis opened this issue Jul 10, 2020 · 5 comments
Closed

Allow to disable the default ca trust completely #34292

mdeknowis opened this issue Jul 10, 2020 · 5 comments
Labels
feature request Issues that request new features to be added to Node.js. stale tls Issues and PRs related to the tls subsystem.

Comments

@mdeknowis
Copy link

Is your feature request related to a problem? Please describe.
Currently there are only two options regarding the default ca trust used by nodejs

So there is no out of the box chance to disable the default trust.
According to #4175 (comment) you have to override it manually

https.globalAgent.options.ca = [];

Describe the solution you'd like

From security and operation perspective it would be even better per default not having any trust cas at all, but that would be a huge, breaking change.

So at least an option like --use-no-ca would be very helpful here
@bnoordhuis bnoordhuis added feature request Issues that request new features to be added to Node.js. tls Issues and PRs related to the tls subsystem. labels Jul 10, 2020
@bnoordhuis
Copy link
Member

It's not a difficult change to make but I think it needs more justification.

With TLS, you need to trust something. Completely disabling the default CA store means passing { ca: [ /* ... */ ] } explicitly everywhere.

When/why would you want that and is using a preload module (with -r) that sets https.globalAgent.options.ca = [] an acceptable substitute?

@mdeknowis
Copy link
Author

@bnoordhuis I think -r https.globalAgent.options.ca = [] could be a sufficient solution.
We are using currently NODE_EXTRA_CA_CERTS. As our customers need full control over the trust store, we have to disable the default trust store and have to ensure, that only the cert are allowed, which are configured by the Op team.

@bnoordhuis
Copy link
Member

@nodejs/crypto Thoughts? For https there's a simple workaround, but not e.g. tls.connect().

@github-actions
Copy link
Contributor

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

@github-actions github-actions bot added the stale label Mar 18, 2022
@targos targos moved this to Pending Triage in Node.js feature requests Mar 19, 2022
@targos targos moved this from Pending Triage to Stale in Node.js feature requests Mar 19, 2022
@github-actions
Copy link
Contributor

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Issues that request new features to be added to Node.js. stale tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnoordhuis @mdeknowis