src,doc,test: add --openssl-shared-config option

This commit adds a new command line option named
'--openssl-shared-config' intended to allow reverting to the old OpenSSL
configuration behavior where Node.js would use the configuration section
name (called appname in OpenSSL) 'openssl_conf' which could potentially
be used my other applications..

PR-URL: #43124
Backport-PR-URL: #43539
Refs: #40366
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>

Author: danbev

doc/api/cli.md

@@ -771,6 +771,21 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
 used to enable FIPS-compliant crypto if Node.js is built
 against FIPS-enabled OpenSSL.
 
+### `--openssl-shared-config`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Enable OpenSSL default configuration section, `openssl_conf` to be read from
+the OpenSSL configuration file. The default configuration file is named
+`openssl.cnf` but this can be changed using the environment variable
+`OPENSSL_CONF`, or by using the command line option `--openssl-config`.
+The location of the default OpenSSL configuration file depends on how OpenSSL
+is being linked to Node.js. Sharing the OpenSSL configuration may have unwanted
+implications and it is recommended to use a configuration section specific to
+Node.js which is `nodejs_conf` and is default when this option is not used.
+
 ### `--openssl-legacy-provider`
 
 <!-- YAML
@@ -1662,6 +1677,7 @@ Node.js options that are allowed are:
 * `--node-memory-debug`
 * `--openssl-config`
 * `--openssl-legacy-provider`
+* `--openssl-shared-config`
 * `--pending-deprecation`
 * `--policy-integrity`
 * `--preserve-symlinks-main`

src/node.cc

@@ -1092,8 +1092,13 @@ InitializationResult InitializeOncePerProcess(
     // to be loaded, but the default section in that file will not be used,
     // instead only the section that matches the value of conf_section_name
     // will be read from the default configuration file.
-    //  fprintf(stderr, "appanme: %s\n", conf_section_name);
     const char* conf_file = nullptr;
+    // To allow for using the previous default where the 'openssl_conf' appname
+    // was used, the command line option 'openssl-shared-config' can be used to
+    // force the old behavior.
+    if (per_process::cli_options->openssl_shared_config) {
+      conf_section_name = "openssl_conf";
+    }
     // Use OPENSSL_CONF environment variable is set.
     std::string env_openssl_conf;
     credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);

src/node_options.cc

@@ -860,6 +860,10 @@ PerProcessOptionsParser::PerProcessOptionsParser(
             "enable OpenSSL 3.0 legacy provider",
             &PerProcessOptions::openssl_legacy_provider,
             kAllowedInEnvironment);
+  AddOption("--openssl-shared-config",
+            "enable OpenSSL shared configuration",
+            &PerProcessOptions::openssl_shared_config,
+            kAllowedInEnvironment);
 
 #endif  // OPENSSL_VERSION_MAJOR
   AddOption("--use-largepages",

src/node_options.h

@@ -265,6 +265,7 @@ class PerProcessOptions : public Options {
 #endif
 #if OPENSSL_VERSION_MAJOR >= 3
   bool openssl_legacy_provider = false;
+  bool openssl_shared_config = false;
 #endif
 
   // Per-process because reports can be triggered outside a known V8 context.

test/parallel/test-process-env-allowed-flags-are-documented.js

@@ -45,6 +45,7 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
 
 if (!common.hasOpenSSL3) {
   documented.delete('--openssl-legacy-provider');
+  documented.delete('--openssl-shared-config');
 }
 
 // Filter out options that are conditionally present.
@@ -55,6 +56,7 @@ const conditionalOpts = [
       return [
         '--openssl-config',
         common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
+        common.hasOpenSSL3 ? '--openssl-shared-config' : '',
         '--tls-cipher-list',
         '--use-bundled-ca',
         '--use-openssl-ca',