Skip to content
Permalink
Browse files

tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0'

Warn on the first request that sets the
NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

PR-URL: #21900
Refs: #21774
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information...
cjihrig committed Jul 20, 2018
1 parent 87f7671 commit 3095eecc4748da4ce7ac70e2b352ddba6c4c4deb
Showing with 20 additions and 1 deletion.
  1. +12 −1 lib/_tls_wrap.js
  2. +8 −0 test/parallel/test-https-strict.js
@@ -1098,14 +1098,25 @@ function onConnectEnd() {
}
}

let warnOnAllowUnauthorized = true;

// Arguments: [port,] [host,] [options,] [cb]
exports.connect = function connect(...args) {
args = normalizeConnectArgs(args);
var options = args[0];
var cb = args[1];
const allowUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0';

if (allowUnauthorized && warnOnAllowUnauthorized) {
warnOnAllowUnauthorized = false;
process.emitWarning('Setting the NODE_TLS_REJECT_UNAUTHORIZED ' +
'environment variable to \'0\' makes TLS connections ' +
'and HTTPS requests insecure by disabling ' +
'certificate verification.');
}

var defaults = {
rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED,
rejectUnauthorized: !allowUnauthorized,
ciphers: tls.DEFAULT_CIPHERS,
checkServerIdentity: tls.checkServerIdentity,
minDHSize: 1024
@@ -28,6 +28,14 @@ if (!common.hasCrypto)
// disable strict server certificate validation by the client
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

common.expectWarning(
'Warning',
'Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to \'0\' ' +
'makes TLS connections and HTTPS requests insecure by disabling ' +
'certificate verification.',
common.noWarnCode
);

const assert = require('assert');
const https = require('https');

0 comments on commit 3095eec

Please sign in to comment.
You can’t perform that action at this time.