'use strict'; const common = require('../common'); if (!common.hasCrypto) common.skip('missing crypto'); // Test interaction of compiled-in CAs with user-provided CAs. const assert = require('assert'); const fs = require('fs'); const fixtures = require('../common/fixtures'); const tls = require('tls'); function filenamePEM(n) { return fixtures.path('keys', `${n}.pem`); } function loadPEM(n) { return fs.readFileSync(filenamePEM(n)); } const caCert = loadPEM('ca1-cert'); const opts = { host: 'www.nodejs.org', port: 443, rejectUnauthorized: true, }; // Success relies on the compiled in well-known root CAs tls.connect(opts, common.mustCall(end)); // The .ca option replaces the well-known roots, so connection fails. opts.ca = caCert; tls.connect(opts, fail).on('error', common.mustCall((err) => { assert.strictEqual(err.message, 'unable to get local issuer certificate'); })); function fail() { assert.fail('should fail to connect'); } // New secure contexts have the well-known root CAs. opts.secureContext = tls.createSecureContext(); tls.connect(opts, common.mustCall(end)); // Explicit calls to addCACert() add to the default well-known roots, instead // of replacing, so connection still succeeds. opts.secureContext.context.addCACert(caCert); tls.connect(opts, common.mustCall(end)); function end() { this.end(); }