1'use strict'; 2const common = require('../common'); 3 4if (!common.hasCrypto) 5 common.skip('missing crypto'); 6 7// Test interaction of compiled-in CAs with user-provided CAs. 8 9const assert = require('assert'); 10const fs = require('fs'); 11const fixtures = require('../common/fixtures'); 12const tls = require('tls'); 13 14function filenamePEM(n) { 15 return fixtures.path('keys', `${n}.pem`); 16} 17 18function loadPEM(n) { 19 return fs.readFileSync(filenamePEM(n)); 20} 21 22const caCert = loadPEM('ca1-cert'); 23 24const opts = { 25 host: 'www.nodejs.org', 26 port: 443, 27 rejectUnauthorized: true 28}; 29 30// Success relies on the compiled in well-known root CAs 31tls.connect(opts, common.mustCall(end)); 32 33// The .ca option replaces the well-known roots, so connection fails. 34opts.ca = caCert; 35tls.connect(opts, fail).on('error', common.mustCall((err) => { 36 assert.strictEqual(err.message, 'unable to get local issuer certificate'); 37})); 38 39function fail() { 40 assert.fail('should fail to connect'); 41} 42 43// New secure contexts have the well-known root CAs. 44opts.secureContext = tls.createSecureContext(); 45tls.connect(opts, common.mustCall(end)); 46 47// Explicit calls to addCACert() add to the default well-known roots, instead 48// of replacing, so connection still succeeds. 49opts.secureContext.context.addCACert(caCert); 50tls.connect(opts, common.mustCall(end)); 51 52function end() { 53 this.end(); 54} 55