Skip to content
This repository has been archived by the owner. It is now read-only.

tls, https: default to rejectUnauthorized=true in tls.connect and https.request #4023

Merged
merged 2 commits into from Sep 15, 2012

Conversation

@bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented Sep 14, 2012

Quoting the commit log:

tls, https: validate server certificates by default

This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.

The second commit updates the tests to set rejectUnauthorized explicitly instead of mucking with the environment.

Suggested reviewer: @indutny

bnoordhuis added 2 commits Aug 30, 2012
This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.
Update the tls and https tests to explicitly set rejectUnauthorized instead of
relying on the NODE_TLS_REJECT_UNAUTHORIZED environment variable getting set.
@indutny
Copy link
Member

@indutny indutny commented Sep 15, 2012

@bnoordhuis If tests are passing - lgtm

@bnoordhuis
Copy link
Member Author

@bnoordhuis bnoordhuis commented Sep 15, 2012

Thanks Fedor, merged.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants