Configure flag to disable embedded CA root certs for lite builds

[davidfiala]

I'm looking at improvements to cut down on the size of light builds of node. Embedded mozilla certs inflate the final node binary by 234 KB.

For (a) embedded environments where you know exactly which roots you trust, or (b) environments where you know ahead of time you will depend on the system CA certs: it would be useful to avoid packaging the Mozilla root certs.

We already provide options to switch the default certs to trust (system vs embedded mozilla). I'd like to propose expanding it to prevent the packaging of embedded certs entirely.

What's the appetite look like for such a change? In my minimized node builds I already remove them, and I'd be happy to offer a PR to make this a configure option if the proposal is interesting to folks.

Thanks for your time!

[davidfiala]

Just a technical note:

I should point out that one cannot simply truncate src/node_root_certs.h without a code change. The array would be empty, causing compile errors.

If you truncate it to just an empty pair of quotes, a runtime assert will fail since it will be seen as a single certificate of zero bytes, and x509 cannot parse it.

The idea would be to allow disabling any embedded CAs or possibly changing the file it points to for embedded. But ensuring that it supports the empty-file case, too.