Nodejs/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity

tls, https: validate server certificate by default

Browse Source 
This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.
This commit is contained in:
Ben Noordhuis 2012-08-30 15:14:37 +02:00
parent 4c171a504d
commit 35607f3a2d
38 changed files with 131 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/api/https.markdown
View File

@ -119,7 +119,7 @@ The following options from [tls.connect()][] can also be specified. However, a
- `rejectUnauthorized`: If `true`, the server certificate is verified against
the list of supplied CAs. An `'error'` event is emitted if verification
fails. Verification happens at the connection level, *before* the HTTP
request is sent. Default `false`.
request is sent. Default `true`.
In order to specify these options, use a custom `Agent`.

2
doc/api/tls.markdown
View File

@ -240,7 +240,7 @@ Creates a new client connection to the given `port` and `host` (old API) or
- `rejectUnauthorized`: If `true`, the server certificate is verified against
the list of supplied CAs. An `'error'` event is emitted if verification
fails. Default: `false`.
fails. Default: `true`.
- `NPNProtocols`: An array of string or `Buffer` containing supported NPN
protocols. `Buffer` should have following format: `0x05hello0x05world`,

23
lib/https.js
View File

@ -21,6 +21,7 @@
var tls = require('tls');
var http = require('http');
var util = require('util');
var url = require('url');
var inherits = require('util').inherits;
@ -97,11 +98,25 @@ exports.request = function(options, cb) {
throw new Error('Protocol:' + options.protocol + ' not supported.');
}
if (options.agent === undefined) {
options.agent = globalAgent;
options = util._extend({
createConnection: createConnection,
defaultPort: 443
}, options);
if (typeof options.agent === 'undefined') {
if (typeof options.ca === 'undefined' &&
typeof options.cert === 'undefined' &&
typeof options.ciphers === 'undefined' &&
typeof options.key === 'undefined' &&
typeof options.passphrase === 'undefined' &&
typeof options.pfx === 'undefined' &&
typeof options.rejectUnauthorized === 'undefined') {
options.agent = globalAgent;
} else {
options.agent = new Agent(options);
}
}
options.createConnection = createConnection;
options.defaultPort = options.defaultPort || 443;
return new http.ClientRequest(options, cb);
};

5
lib/tls.js
View File

@ -1272,6 +1272,11 @@ exports.connect = function(/* [port, host], options, cb */) {
var options = args[0];
var cb = args[1];
var defaults = {
rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED
};
options = util._extend(defaults, options || {});
var socket = options.socket ? options.socket : new net.Stream();
var sslcontext = crypto.createCredentials(options);

5
test/fixtures/GH-892-request.js vendored
View File

@ -19,7 +19,10 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// Called by test/simple/test-regress-GH-892.js
// Called by test/pummel/test-regress-GH-892.js
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var https = require('https');
var fs = require('fs');

4
test/pummel/test-https-large-response.js
View File

@ -19,8 +19,8 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');

7
test/pummel/test-tls-throttle.js
View File

@ -19,11 +19,12 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// Server sends a large string. Client counts bytes and pauses every few
// seconds. Makes sure that pause and resume work properly.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

4
test/simple/test-http-host-headers.js
View File

@ -19,8 +19,8 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var http = require('http'),
https = require('https'),

3
test/simple/test-http-url.parse-https.request.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var https = require('https');

3
test/simple/test-https-agent.js
View File

@ -27,6 +27,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var https = require('https');

3
test/simple/test-https-client-get-url.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var https = require('https');

9
test/simple/test-https-client-reject.js
View File

@ -47,21 +47,21 @@ var server = https.createServer(options, function(req, res) {
function unauthorized() {
var req = https.request({
port: common.PORT
port: common.PORT,
rejectUnauthorized: false
}, function(res) {
assert(!req.socket.authorized);
rejectUnauthorized();
});
req.on('error', function(err) {
assert(false);
throw err;
});
req.end();
}
function rejectUnauthorized() {
var options = {
port: common.PORT,
rejectUnauthorized: true
port: common.PORT
};
options.agent = new https.Agent(options);
var req = https.request(options, function(res) {
@ -76,7 +76,6 @@ function rejectUnauthorized() {
function authorized() {
var options = {
port: common.PORT,
rejectUnauthorized: true,
ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))]
};
options.agent = new https.Agent(options);

3
test/simple/test-https-drain.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var https = require('https');

3
test/simple/test-https-eof-for-eom.js
View File

@ -34,6 +34,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-https-localaddress.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var https = require('https'),
fs = require('fs'),

3
test/simple/test-https-pfx.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var https = require('https');

3
test/simple/test-https-socket-options.js
View File

@ -27,6 +27,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');

3
test/simple/test-https-strict.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');

3
test/simple/test-https-timeout.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var fs = require('fs');

3
test/simple/test-regress-GH-1531.js
View File

@ -27,6 +27,9 @@ if (!process.versions.openssl) {
var https = require('https');
var assert = require('assert');
var fs = require('fs');
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var options = {

10
test/simple/test-tls-client-reject.js
View File

@ -48,7 +48,10 @@ var server = tls.createServer(options, function(socket) {
});
function unauthorized() {
var socket = tls.connect(common.PORT, function() {
var socket = tls.connect({
port: common.PORT,
rejectUnauthorized: false
}, function() {
assert(!socket.authorized);
socket.end();
rejectUnauthorized();
@ -60,9 +63,7 @@ function unauthorized() {
}
function rejectUnauthorized() {
var socket = tls.connect(common.PORT, {
rejectUnauthorized: true
}, function() {
var socket = tls.connect(common.PORT, function() {
assert(false);
});
socket.on('error', function(err) {
@ -74,7 +75,6 @@ function rejectUnauthorized() {
function authorized() {
var socket = tls.connect(common.PORT, {
rejectUnauthorized: true,
ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))]
}, function() {
assert(socket.authorized);

3
test/simple/test-tls-client-resume.js
View File

@ -28,6 +28,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-client-verify.js
View File

@ -59,6 +59,9 @@ var testCases =
];
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var fs = require('fs');

3
test/simple/test-tls-connect-given-socket.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-connect-simple.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-getcipher.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-honorcipherorder.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-npn-server-client.js
View File

@ -25,6 +25,9 @@ if (!process.features.tls_npn) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common'),
assert = require('assert'),
fs = require('fs'),

3
test/simple/test-tls-over-http-tunnel.js
View File

@ -27,6 +27,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');

3
test/simple/test-tls-passphrase.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-pause-close.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-pause.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-peer-certificate-multi-keys.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-peer-certificate.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-remote.js
View File

@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-request-timeout.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-set-encoding.js
View File

@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
var tls = require('tls');

3
test/simple/test-tls-sni-server-client.js
View File

@ -28,6 +28,9 @@ if (!process.features.tls_sni) {
process.exit(0);
}
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common'),
assert = require('assert'),
fs = require('fs'),