This repository has been archived by the owner on Apr 22, 2023. It is now read-only.
TLS Client 'rejectUnauthorized' must default to true #3949
Labels
Comments
Agreed, this is a big no no. Security by default! Don't be like PHP :) |
+1 |
3 similar comments
+1 |
+1 |
+1 |
For review: https://github.com/bnoordhuis/node/compare/tls-reject-unauthorized To be investigated: test/simple/test-https-pfx.js fails when you set rejectUnauthorized explicitly. The expected validation error changes from UNABLE_TO_GET_ISSUER_CERT to DEPTH_ZERO_SELF_SIGNED_CERT. |
@bnoordhuis - The patch LGTM, but API docs (just default values)? |
Addressed in 35607f3. |
Fantastic! Thanks! |
This was referenced Apr 27, 2013
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
No idea why server cert validation is off by default. This is a major security issue since the vast majority of developers are not aware of this and will leave it as-is. If you fail to check the server's certificate, you have zero protection against a long list of attacks.
Yes - changing the default is likely to break stuff. THAT'S A GOOD THING!
The text was updated successfully, but these errors were encountered: