From 4108c31293b86f1323ec3d9012cfe8767ba78d00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20M=C3=BCllerleile?= Date: Thu, 4 Apr 2013 22:10:53 +0300 Subject: [PATCH] tls: Re-enable check of CN-ID in cert verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RFC 6125 explicitly states that a client "MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client", but it MAY do so if none of the mentioned identifier types (but others) are present. --- lib/tls.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tls.js b/lib/tls.js index 8650041c91..1ff0d5d679 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -140,7 +140,6 @@ function checkServerIdentity(host, cert) { // // Walk through altnames and generate lists of those names if (cert.subjectaltname) { - matchCN = false; cert.subjectaltname.split(/, /g).forEach(function(altname) { if (/^DNS:/.test(altname)) { dnsNames.push(altname.slice(4)); @@ -178,7 +177,8 @@ function checkServerIdentity(host, cert) { if (dnsNames.length > 0) matchCN = false; - // Match against Common Name (CN) only if altnames are not present. + // Match against Common Name (CN) only if no supported identifiers are + // present. // // "As noted, a client MUST NOT seek a match for a reference identifier // of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,