tls: load bundled and extra certificates off-thread

joyeecheung · joyeecheung · commit 53f70cbbed1f · 2025-09-11T17:10:33.000+02:00
This patch makes the certificate pre-loading thread load the bundled
and extra certificates from the other thread as well.
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -838,6 +838,23 @@ static std::vector<X509*>& GetExtraCACertificates() {
 }
 
 static void LoadCACertificates(void* data) {
+  per_process::Debug(DebugCategory::CRYPTO,
+                     "Started loading bundled root certificates off-thread\n");
+  GetBundledRootCertificates();
+
+  if (!extra_root_certs_file.empty()) {
+    per_process::Debug(DebugCategory::CRYPTO,
+                       "Started loading extra root certificates off-thread\n");
+    GetExtraCACertificates();
+  }
+
+  {
+    Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);
+    if (!per_process::cli_options->use_system_ca) {
+      return;
+    }
+  }
+
   per_process::Debug(DebugCategory::CRYPTO,
                      "Started loading system root certificates off-thread\n");
   GetSystemStoreCACertificates();
@@ -856,9 +873,12 @@ void StartLoadingCertificatesOffThread(
   // Get*CACertificates() functions has a function-local static and any
   // actual user of it will wait for that to complete initialization.
 
+  // --use-openssl-ca is mutually exclusive with --use-bundled-ca and
+  // --use-system-ca. If it's set, no need to optimize with off-thread
+  // loading.
   {
     Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);
-    if (!per_process::cli_options->use_system_ca) {
+    if (!per_process::cli_options->ssl_openssl_cert_store) {
       return;
     }
   }
