Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

tls, https: validate server certificate by default

This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.
  • Loading branch information...
commit 35607f3a2dda03af8cf2dd3704c0c915e28aa774 1 parent 4c171a5
@bnoordhuis bnoordhuis authored
Showing with 131 additions and 24 deletions.
  1. +1 −1  doc/api/https.markdown
  2. +1 −1  doc/api/tls.markdown
  3. +19 −4 lib/https.js
  4. +5 −0 lib/tls.js
  5. +4 −1 test/fixtures/GH-892-request.js
  6. +2 −2 test/pummel/test-https-large-response.js
  7. +4 −3 test/pummel/test-tls-throttle.js
  8. +2 −2 test/simple/test-http-host-headers.js
  9. +3 −0  test/simple/test-http-url.parse-https.request.js
  10. +3 −0  test/simple/test-https-agent.js
  11. +3 −0  test/simple/test-https-client-get-url.js
  12. +4 −5 test/simple/test-https-client-reject.js
  13. +3 −0  test/simple/test-https-drain.js
  14. +3 −0  test/simple/test-https-eof-for-eom.js
  15. +3 −0  test/simple/test-https-localaddress.js
  16. +3 −0  test/simple/test-https-pfx.js
  17. +3 −0  test/simple/test-https-socket-options.js
  18. +3 −0  test/simple/test-https-strict.js
  19. +3 −0  test/simple/test-https-timeout.js
  20. +3 −0  test/simple/test-regress-GH-1531.js
  21. +5 −5 test/simple/test-tls-client-reject.js
  22. +3 −0  test/simple/test-tls-client-resume.js
  23. +3 −0  test/simple/test-tls-client-verify.js
  24. +3 −0  test/simple/test-tls-connect-given-socket.js
  25. +3 −0  test/simple/test-tls-connect-simple.js
  26. +3 −0  test/simple/test-tls-getcipher.js
  27. +3 −0  test/simple/test-tls-honorcipherorder.js
  28. +3 −0  test/simple/test-tls-npn-server-client.js
  29. +3 −0  test/simple/test-tls-over-http-tunnel.js
  30. +3 −0  test/simple/test-tls-passphrase.js
  31. +3 −0  test/simple/test-tls-pause-close.js
  32. +3 −0  test/simple/test-tls-pause.js
  33. +3 −0  test/simple/test-tls-peer-certificate-multi-keys.js
  34. +3 −0  test/simple/test-tls-peer-certificate.js
  35. +3 −0  test/simple/test-tls-remote.js
  36. +3 −0  test/simple/test-tls-request-timeout.js
  37. +3 −0  test/simple/test-tls-set-encoding.js
  38. +3 −0  test/simple/test-tls-sni-server-client.js
View
2  doc/api/https.markdown
@@ -119,7 +119,7 @@ The following options from [tls.connect()][] can also be specified. However, a
- `rejectUnauthorized`: If `true`, the server certificate is verified against
the list of supplied CAs. An `'error'` event is emitted if verification
fails. Verification happens at the connection level, *before* the HTTP
- request is sent. Default `false`.
+ request is sent. Default `true`.
In order to specify these options, use a custom `Agent`.
View
2  doc/api/tls.markdown
@@ -240,7 +240,7 @@ Creates a new client connection to the given `port` and `host` (old API) or
- `rejectUnauthorized`: If `true`, the server certificate is verified against
the list of supplied CAs. An `'error'` event is emitted if verification
- fails. Default: `false`.
+ fails. Default: `true`.
- `NPNProtocols`: An array of string or `Buffer` containing supported NPN
protocols. `Buffer` should have following format: `0x05hello0x05world`,
View
23 lib/https.js
@@ -21,6 +21,7 @@
var tls = require('tls');
var http = require('http');
+var util = require('util');
var url = require('url');
var inherits = require('util').inherits;
@@ -97,11 +98,25 @@ exports.request = function(options, cb) {
throw new Error('Protocol:' + options.protocol + ' not supported.');
}
- if (options.agent === undefined) {
- options.agent = globalAgent;
+ options = util._extend({
+ createConnection: createConnection,
+ defaultPort: 443
+ }, options);
+
+ if (typeof options.agent === 'undefined') {
+ if (typeof options.ca === 'undefined' &&
+ typeof options.cert === 'undefined' &&
+ typeof options.ciphers === 'undefined' &&
+ typeof options.key === 'undefined' &&
+ typeof options.passphrase === 'undefined' &&
+ typeof options.pfx === 'undefined' &&
+ typeof options.rejectUnauthorized === 'undefined') {
+ options.agent = globalAgent;
+ } else {
+ options.agent = new Agent(options);
+ }
}
- options.createConnection = createConnection;
- options.defaultPort = options.defaultPort || 443;
+
return new http.ClientRequest(options, cb);
};
View
5 lib/tls.js
@@ -1272,6 +1272,11 @@ exports.connect = function(/* [port, host], options, cb */) {
var options = args[0];
var cb = args[1];
+ var defaults = {
+ rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED
+ };
+ options = util._extend(defaults, options || {});
+
var socket = options.socket ? options.socket : new net.Stream();
var sslcontext = crypto.createCredentials(options);
View
5 test/fixtures/GH-892-request.js
@@ -19,7 +19,10 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
-// Called by test/simple/test-regress-GH-892.js
+// Called by test/pummel/test-regress-GH-892.js
+
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var https = require('https');
var fs = require('fs');
View
4 test/pummel/test-https-large-response.js
@@ -19,8 +19,8 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var common = require('../common');
var assert = require('assert');
View
7 test/pummel/test-tls-throttle.js
@@ -19,11 +19,12 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-
// Server sends a large string. Client counts bytes and pauses every few
// seconds. Makes sure that pause and resume work properly.
+
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
4 test/simple/test-http-host-headers.js
@@ -19,8 +19,8 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var http = require('http'),
https = require('https'),
View
3  test/simple/test-http-url.parse-https.request.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var https = require('https');
View
3  test/simple/test-https-agent.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var https = require('https');
View
3  test/simple/test-https-client-get-url.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var https = require('https');
View
9 test/simple/test-https-client-reject.js
@@ -47,21 +47,21 @@ var server = https.createServer(options, function(req, res) {
function unauthorized() {
var req = https.request({
- port: common.PORT
+ port: common.PORT,
+ rejectUnauthorized: false
}, function(res) {
assert(!req.socket.authorized);
rejectUnauthorized();
});
req.on('error', function(err) {
- assert(false);
+ throw err;
});
req.end();
}
function rejectUnauthorized() {
var options = {
- port: common.PORT,
- rejectUnauthorized: true
+ port: common.PORT
};
options.agent = new https.Agent(options);
var req = https.request(options, function(res) {
@@ -76,7 +76,6 @@ function rejectUnauthorized() {
function authorized() {
var options = {
port: common.PORT,
- rejectUnauthorized: true,
ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))]
};
options.agent = new https.Agent(options);
View
3  test/simple/test-https-drain.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var https = require('https');
View
3  test/simple/test-https-eof-for-eom.js
@@ -34,6 +34,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-https-localaddress.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var https = require('https'),
fs = require('fs'),
View
3  test/simple/test-https-pfx.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var https = require('https');
View
3  test/simple/test-https-socket-options.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
View
3  test/simple/test-https-strict.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
View
3  test/simple/test-https-timeout.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var fs = require('fs');
View
3  test/simple/test-regress-GH-1531.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
var https = require('https');
var assert = require('assert');
var fs = require('fs');
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var options = {
View
10 test/simple/test-tls-client-reject.js
@@ -48,7 +48,10 @@ var server = tls.createServer(options, function(socket) {
});
function unauthorized() {
- var socket = tls.connect(common.PORT, function() {
+ var socket = tls.connect({
+ port: common.PORT,
+ rejectUnauthorized: false
+ }, function() {
assert(!socket.authorized);
socket.end();
rejectUnauthorized();
@@ -60,9 +63,7 @@ function unauthorized() {
}
function rejectUnauthorized() {
- var socket = tls.connect(common.PORT, {
- rejectUnauthorized: true
- }, function() {
+ var socket = tls.connect(common.PORT, function() {
assert(false);
});
socket.on('error', function(err) {
@@ -74,7 +75,6 @@ function rejectUnauthorized() {
function authorized() {
var socket = tls.connect(common.PORT, {
- rejectUnauthorized: true,
ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))]
}, function() {
assert(socket.authorized);
View
3  test/simple/test-tls-client-resume.js
@@ -28,6 +28,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-client-verify.js
@@ -59,6 +59,9 @@ var testCases =
];
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var fs = require('fs');
View
3  test/simple/test-tls-connect-given-socket.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-connect-simple.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-getcipher.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-honorcipherorder.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-npn-server-client.js
@@ -25,6 +25,9 @@ if (!process.features.tls_npn) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common'),
assert = require('assert'),
fs = require('fs'),
View
3  test/simple/test-tls-over-http-tunnel.js
@@ -27,6 +27,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
View
3  test/simple/test-tls-passphrase.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-pause-close.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-pause.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-peer-certificate-multi-keys.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-peer-certificate.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-remote.js
@@ -24,6 +24,9 @@ if (!process.versions.openssl) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-request-timeout.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-set-encoding.js
@@ -19,6 +19,9 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
View
3  test/simple/test-tls-sni-server-client.js
@@ -28,6 +28,9 @@ if (!process.features.tls_sni) {
process.exit(0);
}
+// disable strict server certificate validation by the client
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
var common = require('../common'),
assert = require('assert'),
fs = require('fs'),
Please sign in to comment.
Something went wrong with that request. Please try again.