Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rejectUnauthorized defaults to false #1072

Closed
1 of 2 tasks
jamcoy opened this issue Feb 14, 2017 · 4 comments
Closed
1 of 2 tasks

rejectUnauthorized defaults to false #1072

jamcoy opened this issue Feb 14, 2017 · 4 comments
Milestone
2.0.0

Comments

@jamcoy
Copy link

jamcoy commented Feb 14, 2017
edited

You want to:

  • report a bug
  • request a feature

Current behaviour

I'm using a self-signed certificate. If I connect with a browser I'm warned about this and have to add an exception. If I use another instance of nodejs (no browser) to connect to the server, it connects fine. Only if I add rejectUnauthorized: true will it fail to connect.

Steps to reproduce (if the current behaviour is a bug)

Server:

var app = require('../app');
var debug = require('debug')('socketio:server');
var https = require('https');
var fs = require('fs');

var tls_options = {
    key: fs.readFileSync('server.key'),
    cert: fs.readFileSync('server.crt')
};

var server = https.createServer(tls_options, app);

server.listen(port);
server.on('error', onError);
server.on('listening', onListening);

var io = require('socket.io').listen(server);

Client:

var io = require('socket.io-client')

var options = {
        //rejectUnauthorized: false // allow self-signed certs
};

var socket = io.connect('https://xxx.xxx.xxx.xxx:3000', options);

Expected behaviour

I'd expect it to fail to connect with a self-signed certificate unless I set/uncomment rejectUnauthorized: false. Otherwise am I not susceptible to a man-in-the-middle attack?

Setup

  • OS: Server: Debian 9.0, client: Raspian 8.0
  • browser: N/A
  • socket.io version: Server: 1.7.2 , Client: socket.io-client@1.7.2

Other information (e.g. stacktraces, related issues, suggestions how to fix)
@jamcoy
Copy link
Author

jamcoy commented Feb 15, 2017

Although the connection is working, it will only use long polling. If I uncomment rejectAuthorized: false, it will upgrade the transport to websockets
Am I misunderstanding something? Or is it a bug?

@dotbloup
Copy link

Google Chrome imposes the use of publicly certified SSL certificates. (https://www.certificate-transparency.org). ogle plans to improve SSL Certificate Transparency within the Chrome browser with the goal of strengthening the security and reliability of the Internet. Beginning in April 2018, Google will require all new SSL/TLS certificates issued by Certificate Authorities (such as Comodo CA) to have records in publicly-available Certificate Transparency logs.

Following this change, the Chrome browser will be able to detect certificates that were fraudulently issued by private organizations (like you and me when we generate a self signed certificate).

@christosv94
Copy link

christosv94 commented Nov 26, 2019
edited

The default value set by socket.io for this option is false, so whether you commented it or not it will stay false and thus allow the connection. The only way to block these connections is to specify it as true, thus overwriting the default value

@darrachequesne
Copy link
Member

This was fixed in socketio/engine.io-client@beb7090, included in engine.io-client@3.0.0 and socket.io-client@2.0.0.

Documentation: https://socket.io/docs/v3/client-initialization/#Node-js-specific-options

@darrachequesne darrachequesne added this to the 2.0.0 milestone Jan 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@darrachequesne @dotbloup @jamcoy @christosv94