Unexpected behaviour setting CRL in httpsServerOptions

[bertiepinnock]

Bug Report

I've been using Restify with client certificate authentication and have noticed that it seems to ignore any certificate revocation list that is set in httpsServerOptions when the key/certificate/ca/requestCert/rejectUnauthorized are set in Restify ServerOptions. This means that when I make a request with a revoked certificate attached, the request is accepted when it should be rejected.

However, when I set the aforementioned options inside the httpsServerOptions field, and not inside the Restify ServerOptions, the request is correctly rejected.

This might not technically be a bug, but I think is definitely unexpected behaviour.

Restify Version

7.7.0

Node.js Version

10.15.1

Expected behaviour

Restify checks the CRL object that was set in httpsServerOptions alongside any values set in the Restify ServerOptions.

Actual behaviour

Restify ignores the CRL value set in httpsServerOptions if the certificate/key/ca are set in the Restify ServerOptions instead.

Repro case

Server

import restify from 'restify';
import { readFileSync } from 'fs';

const cert = readFileSync(...);
const key = readFileSync(...);
const server = restify.createServer({
    certificate: fs.readFileSync("a/valid/cert"),
    key: fs.readFileSync("a/valid/key"),
    ca: fs.readFileSync("a/valid/ca"),
    requestCert: true,
    rejectUnauthorized: true,
    httpsServerOptions: {
        crl: fs.readFileSync("a/valid/crl")
    }
 });
server.get('/*', (req, res, next) => {
    res.send("Hello World");
});
server.listen(443);

Making a request with a revoked certificate to this server will be accepted.

Are you willing and able to fix this?

Not currently.