Error "Hostname/IP doesn't match certificate's altnames" with Node 0.10.0 #181

Closed
naholyr opened this Issue Mar 12, 2013 · 6 comments

Comments

Projects
None yet
4 participants
@naholyr
Contributor

naholyr commented Mar 12, 2013

Hello,

I cannot find any way to connect to imap.gmail.com anymore when using imap with Node 0.10.0, it continuously throws the following error:

events.js:72
        throw er; // Unhandled 'error' event
              ^
Error: Hostname/IP doesn't match certificate's altnames
    at SecurePair.<anonymous> (tls.js:1280:23)
    at SecurePair.EventEmitter.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:883:10)
    at CleartextStream.read [as _read] (tls.js:421:15)
    at CleartextStream.Readable.read (_stream_readable.js:293:10)
    at EncryptedStream.write [as _write] (tls.js:330:25)
    at doWrite (_stream_writable.js:211:10)
    at writeOrBuffer (_stream_writable.js:201:5)
    at EncryptedStream.Writable.write (_stream_writable.js:172:11)
    at write (_stream_readable.js:547:24)

I'm not sure exactly why this happens, in previous versions it happened when you provided a direct IP for connection, but it's not the case here.

I'll try to dig further, but for the moment I have no idea :s

Note: i tested with all available 0.9.x versions and I can say it's still working in 0.9.1, and starts failing at 0.9.2.

@naholyr

This comment has been minimized.

Show comment
Hide comment
@naholyr

naholyr Mar 12, 2013

Contributor

OK I found the source of the issue, from changelog of 0.9.2:

tls, https: validate server certificate by default (Ben Noordhuis)

Add rejectUnauthorized: false to go back to previous behavior. I think the best would be to allow tls options to be passed to Imap#connect, I'll send a PR for that in a few minutes :)

Contributor

naholyr commented Mar 12, 2013

OK I found the source of the issue, from changelog of 0.9.2:

tls, https: validate server certificate by default (Ben Noordhuis)

Add rejectUnauthorized: false to go back to previous behavior. I think the best would be to allow tls options to be passed to Imap#connect, I'll send a PR for that in a few minutes :)

naholyr added a commit to byteclubfr/node-imap that referenced this issue Mar 12, 2013

@mscdex mscdex closed this in 0b042e0 Mar 12, 2013

@skeggse

This comment has been minimized.

Show comment
Hide comment
@skeggse

skeggse Mar 17, 2013

This hasn't been added to the npm module, has it? For now, I'm modifying imap.js, but I'd prefer not to.

skeggse commented Mar 17, 2013

This hasn't been added to the npm module, has it? For now, I'm modifying imap.js, but I'd prefer not to.

@naholyr

This comment has been minimized.

Show comment
Hide comment
@naholyr

naholyr Mar 17, 2013

Contributor

You could depend on https://github.com/mscdex/node-imap.git#5610cb90c7 in your package.json and change it back when it's published :)
That's what I do.

Contributor

naholyr commented Mar 17, 2013

You could depend on https://github.com/mscdex/node-imap.git#5610cb90c7 in your package.json and change it back when it's published :)
That's what I do.

@skeggse

This comment has been minimized.

Show comment
Hide comment
@skeggse

skeggse Mar 17, 2013

Okay, I'll do that. Thanks!

skeggse commented Mar 17, 2013

Okay, I'll do that. Thanks!

@mscdex

This comment has been minimized.

Show comment
Hide comment
@mscdex

mscdex Mar 17, 2013

Owner

I'll be publishing a new version once I get the ugly fetch() bug fixed.

Owner

mscdex commented Mar 17, 2013

I'll be publishing a new version once I get the ugly fetch() bug fixed.

@chirag04 chirag04 referenced this issue in circuithub/mail-listener Apr 3, 2013

Closed

mail listener breaks on receiving new mails #7

@chirag04

This comment has been minimized.

Show comment
Hide comment
@chirag04

chirag04 Apr 4, 2013

@mscdex Can we have this published to npm?

chirag04 commented Apr 4, 2013

@mscdex Can we have this published to npm?

@chirag04 chirag04 referenced this issue in circuithub/mail-listener Apr 15, 2013

Closed

Error: Hostname/IP doesn't match certificate's altnames #11

@neoziro neoziro referenced this issue in SpeCT/node-c2dm Jun 5, 2013

Merged

Authorization problem on node > 0.9.2 #25

nagakiran pushed a commit to nagakiran/contrail-web-core that referenced this issue Jul 29, 2016

Closes-Bug: #1606646
Post node version 0.9.1, tls, https: validate server certificate by default.
So in case self signed certificate, UI will not work with https request to
openstack services.
mscdex/node-imap#181 (comment)
Fix: Added rejectUnauthorized flag.

In node post v0.11.14, we have custom checkServerIdentity in options to have
more control.

UT Results:
+++++++++++
contrail-web-controller:
------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 376 of 376 SUCCESS (1 min 41.645 secs / 1 min 39.143 secs)
Done, without errors.

contrail-web-server-manager:
----------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 89 of 89 SUCCESS (11.9 secs / 11.643 secs)
Done, without errors.

contrail-web-storage:
--------------------
PhantomJS 1.9.8 (Mac OS X 0.0.0): Executed 84 of 84 SUCCESS (20.301 secs / 18.748 secs)
Done, without errors.

Change-Id: Iec589a59b5ae153c3b6a57ad1e96a025c8a9280e

nagakiran pushed a commit to nagakiran/contrail-web-core that referenced this issue Jul 29, 2016

Merge "Closes-Bug: #1606646 Post node version 0.9.1, tls, https: vali…
…date server certificate by default. So in case self signed certificate, UI will not work with https request to openstack services. mscdex/node-imap#181 (comment) Fix: Added rejectUnauthorized flag." into R3.1

opencontrail-ci-admin pushed a commit to Juniper/contrail-web-core that referenced this issue Aug 5, 2016

Closes-Bug: #1605163
This is side effect of the below fix:
f10620e
Comuting data before Content-Length header assignement.

Change-Id: I100ab66856595688e97a74a54ce534fcdc201a36
(cherry picked from commit 15ba740)

Closes-Bug: #1606646
Post node version 0.9.1, tls, https: validate server certificate by default.
So in case self signed certificate, UI will not work with https request to
openstack services.
mscdex/node-imap#181 (comment)
Fix: Added rejectUnauthorized flag.

In node post v0.11.14, we have custom checkServerIdentity in options to have
more control.

UT Results:
+++++++++++
contrail-web-controller:
------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 376 of 376 SUCCESS (1 min 41.645 secs / 1 min 39.143 secs)
Done, without errors.

contrail-web-server-manager:
----------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 89 of 89 SUCCESS (11.9 secs / 11.643 secs)
Done, without errors.

contrail-web-storage:
--------------------
PhantomJS 1.9.8 (Mac OS X 0.0.0): Executed 84 of 84 SUCCESS (20.301 secs / 18.748 secs)
Done, without errors.

Change-Id: Iec589a59b5ae153c3b6a57ad1e96a025c8a9280e
(cherry picked from commit 60c2149)

Related-Bug: #1606775
Once we get logout request, immediately invalidate session authentication, and
clear _csrf, connect.sid cookie, do not wait for deleting the token.

UT Results:
+++++++++++
contrail-web-controller:
------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 376 of 376 SUCCESS (1 min 41.645 secs / 1 min 39.143 secs)
Done, without errors.

contrail-web-server-manager:
----------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 89 of 89 SUCCESS (11.9 secs / 11.643 secs)
Done, without errors.

contrail-web-storage:
--------------------
PhantomJS 1.9.8 (Mac OS X 0.0.0): Executed 84 of 84 SUCCESS (20.301 secs / 18.748 secs)
Done, without errors.

Change-Id: Ie11186071bb92f116b9472473170e19c58010adf
(cherry picked from commit b1603b9)

Closes-Bug: #1584651
doDeepSort, align the keys according to the type of input object

Change-Id: I2c791ae2e45ed081fde9947508bf9ec2bdd25675
(cherry picked from commit c2913b7)

Closes-Bug: #1608383
In Microsoft EDGE Browser, response code 307, does not lead the browser to
redirect to certain URL, so sending 200 responseCode. (if userAgent
contains MSIE/Trident/Edge)

Change-Id: I4f971f66de19db915492884cbaf9ef0b09f05eb7
(cherry picked from commit 562c002)

Closes-Bug: #1609425
In earlier releases we had /login and /vcenter/login, from R3.1
we have changed login to "/" and "/vcenter" only, so in case
user does "/login" or "/vcenter/login" then they should redirect
to "/" and "/vcenter" respectively.

Change-Id: I2424639aefd4e2a3291e492ec702096138da5d87
(cherry picked from commit e1c3185)

Closes-Bug: #1609425
Handled the case of /logout and /vcenter/logout as well, it used to come json
response, in stead of changing to login screen to come and changing the url as
per the orchestration system running.
In vcenter logout, after logout response from vcenter, do the next set of
operations.

Change-Id: I73d01daf4032fe7cc30d69e43bad80bfe176727d
(cherry picked from commit 30ed590)

opencontrail-ci-admin pushed a commit to Juniper/contrail-web-core that referenced this issue Aug 8, 2016

Closes-Bug: #1606646
Post node version 0.9.1, tls, https: validate server certificate by default.
So in case self signed certificate, UI will not work with https request to
openstack services.
mscdex/node-imap#181 (comment)
Fix: Added rejectUnauthorized flag.

In node post v0.11.14, we have custom checkServerIdentity in options to have
more control.

UT Results:
+++++++++++
contrail-web-controller:
------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 376 of 376 SUCCESS (1 min 41.645 secs / 1 min 39.143 secs)
Done, without errors.

contrail-web-server-manager:
----------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 89 of 89 SUCCESS (11.9 secs / 11.643 secs)
Done, without errors.

contrail-web-storage:
--------------------
PhantomJS 1.9.8 (Mac OS X 0.0.0): Executed 84 of 84 SUCCESS (20.301 secs / 18.748 secs)
Done, without errors.

Change-Id: Iec589a59b5ae153c3b6a57ad1e96a025c8a9280e
(cherry picked from commit 60c2149)

Avoid passing an empty 'data' object to restler.get calls.

Restler changes Content-Type to 'application/x-www-form-urlencoded' even
for GET requests, as long as data is not a string. That breaks some nova
API calls when Mitaka nova-api is used, as it now expects to get
"application/json" for all queries. Make sure we pass data object only
for POST and PUT calls.

Change-Id: Ieaf1622dec703404d9672681a9cd0d35199326d7
Closes-Bug: 1591393
(cherry picked from commit f10620e)

Closes-Bug: #1605163
This is side effect of the below fix:
f10620e
Comuting data before Content-Length header assignement.

Change-Id: I100ab66856595688e97a74a54ce534fcdc201a36
(cherry picked from commit 15ba740)

opencontrail-ci-admin pushed a commit to Juniper/contrail-web-core that referenced this issue Nov 12, 2016

Closes-Bug: #1606646
Post node version 0.9.1, tls, https: validate server certificate by default.
So in case self signed certificate, UI will not work with https request to
openstack services.
mscdex/node-imap#181 (comment)
Fix: Added rejectUnauthorized flag.

In node post v0.11.14, we have custom checkServerIdentity in options to have
more control.

UT Results:
+++++++++++
contrail-web-controller:
------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 376 of 376 SUCCESS (1 min 41.645 secs / 1 min 39.143 secs)
Done, without errors.

contrail-web-server-manager:
----------------------------
PhantomJS 1.9.8 (Mac OS X 10.9.5): Executed 89 of 89 SUCCESS (11.9 secs / 11.643 secs)
Done, without errors.

contrail-web-storage:
--------------------
PhantomJS 1.9.8 (Mac OS X 0.0.0): Executed 84 of 84 SUCCESS (20.301 secs / 18.748 secs)
Done, without errors.

Change-Id: Iec589a59b5ae153c3b6a57ad1e96a025c8a9280e
(cherry picked from commit 60c2149)

Avoid passing an empty 'data' object to restler.get calls.

Restler changes Content-Type to 'application/x-www-form-urlencoded' even
for GET requests, as long as data is not a string. That breaks some nova
API calls when Mitaka nova-api is used, as it now expects to get
"application/json" for all queries. Make sure we pass data object only
for POST and PUT calls.

Change-Id: Ieaf1622dec703404d9672681a9cd0d35199326d7
Closes-Bug: 1591393
(cherry picked from commit f10620e)

Closes-Bug: #1605163
This is side effect of the below fix:
f10620e
Comuting data before Content-Length header assignement.

Change-Id: I100ab66856595688e97a74a54ce534fcdc201a36
(cherry picked from commit 15ba740)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment