Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls requires a subject even when altNames are defined #22906

Closed
wants to merge 1 commit into from

Conversation

@jasonmacgowan
Copy link

jasonmacgowan commented Sep 17, 2018

Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines
@jasonmacgowan

This comment has been minimized.

Copy link
Author

jasonmacgowan commented Sep 18, 2018

@bnoordhuis thoughts?

@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Sep 22, 2018

@ryzokuken

This comment has been minimized.

Copy link
Member

ryzokuken commented Sep 23, 2018

/cc @bnoordhuis is it expected to behave like this after #14473?

@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Sep 24, 2018

@jasnell Since you approved this … is this ready to be landed? Is it semver-major?

CI: https://ci.nodejs.org/job/node-test-pull-request/17410/

@jasnell

This comment has been minimized.

Copy link
Member

jasnell commented Sep 25, 2018

I'd prefer a look from @nodejs/crypto given the context. It looks fine for me but this particular bit of stuff always can stand more eyes.

@jasnell jasnell requested review from bnoordhuis and shigeki Sep 25, 2018
lib/tls.js Outdated
@@ -204,7 +204,7 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
if (!valid)
reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`;
// TODO(bnoordhuis) Also check URI SANs that are IP addresses.
} else if (subject) {
} else if (subject || altNames) {

This comment has been minimized.

Copy link
@bnoordhuis

bnoordhuis Sep 25, 2018

Member

Line 215 is going to throw a TypeError if it tries to read subject.CN when subject == null and altNames does not contain DNS:, IP: or URI: fields.

The logic should be something like } else if (subject || haveAltNames) { where haveAltNames is this:

const haveAltNames = dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0;

I'd swap the branches of the if statement on line 214 so you can write if (haveAltNames) { - negations are to be avoided when possible.

This comment has been minimized.

Copy link
@sam-github

sam-github Dec 3, 2018

Member

I would have done the opposite: defined const noAltNames because switching the branches textually from their previous location makes the diff larger, and obscures what is actually being changed, which is much smaller.

@joyeecheung joyeecheung mentioned this pull request Sep 25, 2018
@jasonmacgowan

This comment has been minimized.

Copy link
Author

jasonmacgowan commented Sep 28, 2018

@bnoordhuis please review. Thanks!

lib/tls.js Outdated
hostname = unfqdn(hostname); // Remove trailing dot for error messages.
const hostParts = splitHost(hostname);
const wildcard = (pattern) => check(hostParts, pattern, true);
const noWildcard = (pattern) => check(hostParts, pattern, false);

This comment has been minimized.

Copy link
@bnoordhuis

bnoordhuis Oct 8, 2018

Member

It would be better to move these back inside an if statement.

unfqdn() and splitHost() are somewhat expensive operations that the user shouldn't have to pay for when the other branches are taken.

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Nov 27, 2018

@jasonmacgowan

This comment has been minimized.

Copy link
Author

jasonmacgowan commented Dec 1, 2018

@bnoordhuis take 3; please review. Thanks!

cc: @sam-github

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 3, 2018

It surprised me that the check against a subjectAlternativeName didn't fall back on failure to the CN attribute of the subject, but I found that is required, at least it is here: https://tools.ietf.org/html/rfc6125#section-6.4.4

However, the domainComponent (if used, its likely uncommon) of the subject does look like it can be checked as a backup to the alt name: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 But... we don't support that. Unrelated to this PR.

While I agree in general with Ben's point about negatives in conditionals, in this case I think it causes excessive churn, but I'll leave that to him to comment on.

So, just one request: can you please ensure that tests exist with a subject CN, proving that it is disregarded for matching the hostname when when an alt name exists, but only if the altname contains one of the 3 "domainish" attributes? I think that'd be at least two tests.

@adamrobertbacon

This comment has been minimized.

Copy link

adamrobertbacon commented Apr 13, 2019

Is it cheeky for me to bump this issue. I have been dabbling my feet into nodejs for the first time and I've just fallen foul of the issue myself. My internal CA provider has decided to start using certs with an empty subject line. Could find no way around it so I had to allow unauthorised connections for an LDAPS lookup. Not the end of the world but far from ideal. Keep up the good work!

@jasonmacgowan

This comment has been minimized.

Copy link
Author

jasonmacgowan commented Apr 15, 2019

@adamrobertbacon check out auth0/ad-ldap-connector@1f4dd2b for a decent work around that doesn't require allowing all certs blindly.

@rajha-korithrien

This comment has been minimized.

Copy link

rajha-korithrien commented May 31, 2019

If it was cheeky for @adamrobertbacon to ping this issue back in April, I suppose it is even more cheeky for me to ping it in late May??

Thanks @jasonmacgowan for this code and a pointer to ad-ldap-connector. It will fit my needs of getting ldapjs to be a client of an Active Directory ldaps server with a default Microsoft self signed certifitate. Said certificate falls exactly into this boat, empty subject, DNS host name as a Subject Alternative Name.

Is there a thought as to what is still needed to get this merged? It is unexpected that an admittedly strange but (to my knowledge) standards conformant cert is not supported by the node.js TLS system.

Thanks!

@Monual

This comment has been minimized.

Copy link

Monual commented Oct 31, 2019

Can we get this approved and merged? This bug is affecting our production environment.

@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Oct 31, 2019

@sam-github You seem knowledgeable here, do you think you could write the tests you requested and push them here?

@nodejs-github-bot

This comment has been minimized.

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Oct 31, 2019

I'd like to, but I just don't have the time. Consider my comment unblocking.

@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot

This comment has been minimized.

Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771
@addaleax addaleax force-pushed the jasonmacgowan:bug/RFC-5280 branch from a367fc0 to 22e55f5 Nov 28, 2019
@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Nov 28, 2019

Squashed and rebased to avoid a merge conflict.

@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot

This comment has been minimized.

addaleax added a commit that referenced this pull request Nov 29, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Nov 29, 2019

Landed in ff48009 🎉

@addaleax addaleax closed this Nov 29, 2019
addaleax added a commit that referenced this pull request Nov 30, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
targos added a commit that referenced this pull request Dec 1, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@BridgeAR BridgeAR mentioned this pull request Dec 3, 2019
@BethGriggs BethGriggs mentioned this pull request Dec 9, 2019
Sebastien-Ahkrin added a commit to Sebastien-Ahkrin/node that referenced this pull request Dec 11, 2019
Behavior described in nodejs#11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: nodejs#11771

PR-URL: nodejs#22906
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins added a commit that referenced this pull request Dec 17, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@BethGriggs BethGriggs mentioned this pull request Dec 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.