We have discovered that system certificate stores may contain certificates that a) OpenSSL may choose over other roots for the same certificate chain and b) are not accompanied by their own root certificate, i.e. only present an immediate certificate.
While we will ideally solve this by using X509_V_FLAG_PARTIAL_CHAIN, Node.js does not expose that as a feature yet.
We have discovered that system certificate stores may contain certificates that a) OpenSSL may choose over other roots for the same certificate chain and b) are not accompanied by their own root certificate, i.e. only present an immediate certificate.
While we will ideally solve this by using
X509_V_FLAG_PARTIAL_CHAIN
, Node.js does not expose that as a feature yet.Description
Open Questions
Checklist