Skip to content
This repository
Browse code

tls, https: validate server certificate by default

This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.
  • Loading branch information...
commit 35607f3a2dda03af8cf2dd3704c0c915e28aa774 1 parent 4c171a5
Ben Noordhuis bnoordhuis authored

Showing 38 changed files with 131 additions and 24 deletions. Show diff stats Hide diff stats

  1. +1 1  doc/api/https.markdown
  2. +1 1  doc/api/tls.markdown
  3. +19 4 lib/https.js
  4. +5 0 lib/tls.js
  5. +4 1 test/fixtures/GH-892-request.js
  6. +2 2 test/pummel/test-https-large-response.js
  7. +4 3 test/pummel/test-tls-throttle.js
  8. +2 2 test/simple/test-http-host-headers.js
  9. +3 0  test/simple/test-http-url.parse-https.request.js
  10. +3 0  test/simple/test-https-agent.js
  11. +3 0  test/simple/test-https-client-get-url.js
  12. +4 5 test/simple/test-https-client-reject.js
  13. +3 0  test/simple/test-https-drain.js
  14. +3 0  test/simple/test-https-eof-for-eom.js
  15. +3 0  test/simple/test-https-localaddress.js
  16. +3 0  test/simple/test-https-pfx.js
  17. +3 0  test/simple/test-https-socket-options.js
  18. +3 0  test/simple/test-https-strict.js
  19. +3 0  test/simple/test-https-timeout.js
  20. +3 0  test/simple/test-regress-GH-1531.js
  21. +5 5 test/simple/test-tls-client-reject.js
  22. +3 0  test/simple/test-tls-client-resume.js
  23. +3 0  test/simple/test-tls-client-verify.js
  24. +3 0  test/simple/test-tls-connect-given-socket.js
  25. +3 0  test/simple/test-tls-connect-simple.js
  26. +3 0  test/simple/test-tls-getcipher.js
  27. +3 0  test/simple/test-tls-honorcipherorder.js
  28. +3 0  test/simple/test-tls-npn-server-client.js
  29. +3 0  test/simple/test-tls-over-http-tunnel.js
  30. +3 0  test/simple/test-tls-passphrase.js
  31. +3 0  test/simple/test-tls-pause-close.js
  32. +3 0  test/simple/test-tls-pause.js
  33. +3 0  test/simple/test-tls-peer-certificate-multi-keys.js
  34. +3 0  test/simple/test-tls-peer-certificate.js
  35. +3 0  test/simple/test-tls-remote.js
  36. +3 0  test/simple/test-tls-request-timeout.js
  37. +3 0  test/simple/test-tls-set-encoding.js
  38. +3 0  test/simple/test-tls-sni-server-client.js
2  doc/api/https.markdown
Source Rendered
@@ -119,7 +119,7 @@ The following options from [tls.connect()][] can also be specified. However, a
119 119 - `rejectUnauthorized`: If `true`, the server certificate is verified against
120 120 the list of supplied CAs. An `'error'` event is emitted if verification
121 121 fails. Verification happens at the connection level, *before* the HTTP
122   - request is sent. Default `false`.
  122 + request is sent. Default `true`.
123 123
124 124 In order to specify these options, use a custom `Agent`.
125 125
2  doc/api/tls.markdown
Source Rendered
@@ -240,7 +240,7 @@ Creates a new client connection to the given `port` and `host` (old API) or
240 240
241 241 - `rejectUnauthorized`: If `true`, the server certificate is verified against
242 242 the list of supplied CAs. An `'error'` event is emitted if verification
243   - fails. Default: `false`.
  243 + fails. Default: `true`.
244 244
245 245 - `NPNProtocols`: An array of string or `Buffer` containing supported NPN
246 246 protocols. `Buffer` should have following format: `0x05hello0x05world`,
23 lib/https.js
@@ -21,6 +21,7 @@
21 21
22 22 var tls = require('tls');
23 23 var http = require('http');
  24 +var util = require('util');
24 25 var url = require('url');
25 26 var inherits = require('util').inherits;
26 27
@@ -97,11 +98,25 @@ exports.request = function(options, cb) {
97 98 throw new Error('Protocol:' + options.protocol + ' not supported.');
98 99 }
99 100
100   - if (options.agent === undefined) {
101   - options.agent = globalAgent;
  101 + options = util._extend({
  102 + createConnection: createConnection,
  103 + defaultPort: 443
  104 + }, options);
  105 +
  106 + if (typeof options.agent === 'undefined') {
  107 + if (typeof options.ca === 'undefined' &&
  108 + typeof options.cert === 'undefined' &&
  109 + typeof options.ciphers === 'undefined' &&
  110 + typeof options.key === 'undefined' &&
  111 + typeof options.passphrase === 'undefined' &&
  112 + typeof options.pfx === 'undefined' &&
  113 + typeof options.rejectUnauthorized === 'undefined') {
  114 + options.agent = globalAgent;
  115 + } else {
  116 + options.agent = new Agent(options);
  117 + }
102 118 }
103   - options.createConnection = createConnection;
104   - options.defaultPort = options.defaultPort || 443;
  119 +
105 120 return new http.ClientRequest(options, cb);
106 121 };
107 122
5 lib/tls.js
@@ -1272,6 +1272,11 @@ exports.connect = function(/* [port, host], options, cb */) {
1272 1272 var options = args[0];
1273 1273 var cb = args[1];
1274 1274
  1275 + var defaults = {
  1276 + rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED
  1277 + };
  1278 + options = util._extend(defaults, options || {});
  1279 +
1275 1280 var socket = options.socket ? options.socket : new net.Stream();
1276 1281
1277 1282 var sslcontext = crypto.createCredentials(options);
5 test/fixtures/GH-892-request.js
@@ -19,7 +19,10 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22   -// Called by test/simple/test-regress-GH-892.js
  22 +// Called by test/pummel/test-regress-GH-892.js
  23 +
  24 +// disable strict server certificate validation by the client
  25 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
23 26
24 27 var https = require('https');
25 28 var fs = require('fs');
4 test/pummel/test-https-large-response.js
@@ -19,8 +19,8 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22   -
23   -
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
24 24
25 25 var common = require('../common');
26 26 var assert = require('assert');
7 test/pummel/test-tls-throttle.js
@@ -19,11 +19,12 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22   -
23   -
24   -
25 22 // Server sends a large string. Client counts bytes and pauses every few
26 23 // seconds. Makes sure that pause and resume work properly.
  24 +
  25 +// disable strict server certificate validation by the client
  26 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  27 +
27 28 var common = require('../common');
28 29 var assert = require('assert');
29 30 var tls = require('tls');
4 test/simple/test-http-host-headers.js
@@ -19,8 +19,8 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22   -
23   -
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
24 24
25 25 var http = require('http'),
26 26 https = require('https'),
3  test/simple/test-http-url.parse-https.request.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var https = require('https');
3  test/simple/test-https-agent.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
27 27 process.exit(0);
28 28 }
29 29
  30 +// disable strict server certificate validation by the client
  31 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  32 +
30 33 var common = require('../common');
31 34 var assert = require('assert');
32 35 var https = require('https');
3  test/simple/test-https-client-get-url.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var https = require('https');
9 test/simple/test-https-client-reject.js
@@ -47,21 +47,21 @@ var server = https.createServer(options, function(req, res) {
47 47
48 48 function unauthorized() {
49 49 var req = https.request({
50   - port: common.PORT
  50 + port: common.PORT,
  51 + rejectUnauthorized: false
51 52 }, function(res) {
52 53 assert(!req.socket.authorized);
53 54 rejectUnauthorized();
54 55 });
55 56 req.on('error', function(err) {
56   - assert(false);
  57 + throw err;
57 58 });
58 59 req.end();
59 60 }
60 61
61 62 function rejectUnauthorized() {
62 63 var options = {
63   - port: common.PORT,
64   - rejectUnauthorized: true
  64 + port: common.PORT
65 65 };
66 66 options.agent = new https.Agent(options);
67 67 var req = https.request(options, function(res) {
@@ -76,7 +76,6 @@ function rejectUnauthorized() {
76 76 function authorized() {
77 77 var options = {
78 78 port: common.PORT,
79   - rejectUnauthorized: true,
80 79 ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))]
81 80 };
82 81 options.agent = new https.Agent(options);
3  test/simple/test-https-drain.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var https = require('https');
3  test/simple/test-https-eof-for-eom.js
@@ -34,6 +34,9 @@ if (!process.versions.openssl) {
34 34 process.exit(0);
35 35 }
36 36
  37 +// disable strict server certificate validation by the client
  38 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  39 +
37 40 var common = require('../common');
38 41 var assert = require('assert');
39 42 var tls = require('tls');
3  test/simple/test-https-localaddress.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var https = require('https'),
24 27 fs = require('fs'),
3  test/simple/test-https-pfx.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var https = require('https');
3  test/simple/test-https-socket-options.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
27 27 process.exit(0);
28 28 }
29 29
  30 +// disable strict server certificate validation by the client
  31 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  32 +
30 33 var common = require('../common');
31 34 var assert = require('assert');
32 35
3  test/simple/test-https-strict.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32
3  test/simple/test-https-timeout.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var fs = require('fs');
3  test/simple/test-regress-GH-1531.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
27 27 var https = require('https');
28 28 var assert = require('assert');
29 29 var fs = require('fs');
  30 +// disable strict server certificate validation by the client
  31 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  32 +
30 33 var common = require('../common');
31 34
32 35 var options = {
10 test/simple/test-tls-client-reject.js
@@ -48,7 +48,10 @@ var server = tls.createServer(options, function(socket) {
48 48 });
49 49
50 50 function unauthorized() {
51   - var socket = tls.connect(common.PORT, function() {
  51 + var socket = tls.connect({
  52 + port: common.PORT,
  53 + rejectUnauthorized: false
  54 + }, function() {
52 55 assert(!socket.authorized);
53 56 socket.end();
54 57 rejectUnauthorized();
@@ -60,9 +63,7 @@ function unauthorized() {
60 63 }
61 64
62 65 function rejectUnauthorized() {
63   - var socket = tls.connect(common.PORT, {
64   - rejectUnauthorized: true
65   - }, function() {
  66 + var socket = tls.connect(common.PORT, function() {
66 67 assert(false);
67 68 });
68 69 socket.on('error', function(err) {
@@ -74,7 +75,6 @@ function rejectUnauthorized() {
74 75
75 76 function authorized() {
76 77 var socket = tls.connect(common.PORT, {
77   - rejectUnauthorized: true,
78 78 ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))]
79 79 }, function() {
80 80 assert(socket.authorized);
3  test/simple/test-tls-client-resume.js
@@ -28,6 +28,9 @@ if (!process.versions.openssl) {
28 28 process.exit(0);
29 29 }
30 30
  31 +// disable strict server certificate validation by the client
  32 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  33 +
31 34 var common = require('../common');
32 35 var assert = require('assert');
33 36 var tls = require('tls');
3  test/simple/test-tls-client-verify.js
@@ -59,6 +59,9 @@ var testCases =
59 59 ];
60 60
61 61
  62 +// disable strict server certificate validation by the client
  63 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  64 +
62 65 var common = require('../common');
63 66 var assert = require('assert');
64 67 var fs = require('fs');
3  test/simple/test-tls-connect-given-socket.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var tls = require('tls');
3  test/simple/test-tls-connect-simple.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var tls = require('tls');
3  test/simple/test-tls-getcipher.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var tls = require('tls');
3  test/simple/test-tls-honorcipherorder.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var tls = require('tls');
3  test/simple/test-tls-npn-server-client.js
@@ -25,6 +25,9 @@ if (!process.features.tls_npn) {
25 25 process.exit(0);
26 26 }
27 27
  28 +// disable strict server certificate validation by the client
  29 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  30 +
28 31 var common = require('../common'),
29 32 assert = require('assert'),
30 33 fs = require('fs'),
3  test/simple/test-tls-over-http-tunnel.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
27 27 process.exit(0);
28 28 }
29 29
  30 +// disable strict server certificate validation by the client
  31 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  32 +
30 33 var common = require('../common');
31 34 var assert = require('assert');
32 35
3  test/simple/test-tls-passphrase.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var tls = require('tls');
3  test/simple/test-tls-pause-close.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var tls = require('tls');
3  test/simple/test-tls-pause.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var tls = require('tls');
3  test/simple/test-tls-peer-certificate-multi-keys.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var tls = require('tls');
3  test/simple/test-tls-peer-certificate.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var tls = require('tls');
3  test/simple/test-tls-remote.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
24 24 process.exit(0);
25 25 }
26 26
  27 +// disable strict server certificate validation by the client
  28 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  29 +
27 30 var common = require('../common');
28 31 var assert = require('assert');
29 32 var tls = require('tls');
3  test/simple/test-tls-request-timeout.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var tls = require('tls');
3  test/simple/test-tls-set-encoding.js
@@ -19,6 +19,9 @@
19 19 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20 20 // USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
  22 +// disable strict server certificate validation by the client
  23 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  24 +
22 25 var common = require('../common');
23 26 var assert = require('assert');
24 27 var tls = require('tls');
3  test/simple/test-tls-sni-server-client.js
@@ -28,6 +28,9 @@ if (!process.features.tls_sni) {
28 28 process.exit(0);
29 29 }
30 30
  31 +// disable strict server certificate validation by the client
  32 +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
  33 +
31 34 var common = require('../common'),
32 35 assert = require('assert'),
33 36 fs = require('fs'),

0 comments on commit 35607f3

Please sign in to comment.
Something went wrong with that request. Please try again.