Browse Source

tls: `checkServerIdentity` option

Allow overriding `checkServerIdentity` function, when connecting to a
TLS server.

Reviewed-By: Fedor Indutny <fedor@indutny.com>
v0.11.14-release
Trevor Livingston 10 years ago
committed by Fedor Indutny
parent
commit
bf5e2f246e
  1. 4
      doc/api/tls.markdown
  2. 8
      lib/_tls_wrap.js
  3. 85
      test/simple/test-https-client-checkServerIdentity.js

4
doc/api/tls.markdown

@ -196,6 +196,10 @@ automatically set as a listener for the [secureConnection][] event. The
which is not authorized with the list of supplied CAs. This option only
has an effect if `requestCert` is `true`. Default: `false`.
- `checkServerIdentity(servername, cert)`: Provide an override for checking
server's hostname against the certificate. Should return an error if verification
fails. Return `undefined` if passing.
- `NPNProtocols`: An array or `Buffer` of possible NPN protocols. (Protocols
should be ordered by their priority).

8
lib/_tls_wrap.js

@ -822,10 +822,14 @@ exports.connect = function(/* [port, host], options, cb */) {
var defaults = {
rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED,
ciphers: tls.DEFAULT_CIPHERS
ciphers: tls.DEFAULT_CIPHERS,
checkServerIdentity: tls.checkServerIdentity
};
options = util._extend(defaults, options || {});
assert(typeof options.checkServerIdentity === 'function');
var hostname = options.servername ||
options.host ||
options.socket && options.socket._host,
@ -912,7 +916,7 @@ exports.connect = function(/* [port, host], options, cb */) {
// Verify that server's identity matches it's certificate's names
if (!verifyError) {
var cert = result.getPeerCertificate();
verifyError = tls.checkServerIdentity(hostname, cert);
verifyError = options.checkServerIdentity(hostname, cert);
}
if (verifyError) {

85
test/simple/test-https-client-checkServerIdentity.js

@ -0,0 +1,85 @@
// Copyright Joyent, Inc. and other Node contributors.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to permit
// persons to whom the Software is furnished to do so, subject to the
// following conditions:
//
// The above copyright notice and this permission notice shall be included
// in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
if (!process.versions.openssl) {
console.error('Skipping because node compiled without OpenSSL.');
process.exit(0);
}
var common = require('../common');
var assert = require('assert');
var https = require('https');
var fs = require('fs');
var path = require('path');
var options = {
key: fs.readFileSync(path.join(common.fixturesDir, 'keys/agent3-key.pem')),
cert: fs.readFileSync(path.join(common.fixturesDir, 'keys/agent3-cert.pem'))
};
var reqCount = 0;
var server = https.createServer(options, function (req, res) {
++reqCount;
res.writeHead(200);
res.end();
req.resume();
}).listen(common.PORT, function () {
authorized();
});
function authorized() {
var req = https.request({
port: common.PORT,
rejectUnauthorized: true,
ca: [fs.readFileSync(path.join(common.fixturesDir, 'keys/ca2-cert.pem'))]
}, function (res) {
assert(false);
});
req.on('error', function (err) {
override();
});
req.end();
}
function override() {
var options = {
port: common.PORT,
rejectUnauthorized: true,
ca: [fs.readFileSync(path.join(common.fixturesDir, 'keys/ca2-cert.pem'))],
checkServerIdentity: function (host, cert) {
return false;
}
};
options.agent = new https.Agent(options);
var req = https.request(options, function (res) {
assert(req.socket.authorized);
server.close();
});
req.on('error', function (err) {
throw err;
});
req.end();
}
process.on('exit', function () {
assert.equal(reqCount, 1);
});
Loading…
Cancel
Save