Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

TLS Client 'rejectUnauthorized' must default to true #3949

Closed
hueniverse opened this Issue Aug 30, 2012 · 9 comments

Comments

Projects
None yet
8 participants

No idea why server cert validation is off by default. This is a major security issue since the vast majority of developers are not aware of this and will leave it as-is. If you fail to check the server's certificate, you have zero protection against a long list of attacks.

Yes - changing the default is likely to break stuff. THAT'S A GOOD THING!

Agreed, this is a big no no. Security by default! Don't be like PHP :)

+1

skenqbx commented Aug 30, 2012

+1

Member

tellnes commented Aug 30, 2012

+1

Owner

bnoordhuis commented Aug 30, 2012

For review: https://github.com/bnoordhuis/node/compare/tls-reject-unauthorized

To be investigated: test/simple/test-https-pfx.js fails when you set rejectUnauthorized explicitly. The expected validation error changes from UNABLE_TO_GET_ISSUER_CERT to DEPTH_ZERO_SELF_SIGNED_CERT.

koichik commented Sep 1, 2012

@bnoordhuis - The patch LGTM, but API docs (just default values)?

Owner

bnoordhuis commented Sep 15, 2012

Addressed in 35607f3.

Fantastic! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment