New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rejectUnauthorized defaults to false #1072
Comments
Although the connection is working, it will only use long polling. If I uncomment rejectAuthorized: false, it will upgrade the transport to websockets |
Google Chrome imposes the use of publicly certified SSL certificates. (https://www.certificate-transparency.org). ogle plans to improve SSL Certificate Transparency within the Chrome browser with the goal of strengthening the security and reliability of the Internet. Beginning in April 2018, Google will require all new SSL/TLS certificates issued by Certificate Authorities (such as Comodo CA) to have records in publicly-available Certificate Transparency logs. Following this change, the Chrome browser will be able to detect certificates that were fraudulently issued by private organizations (like you and me when we generate a self signed certificate). |
The default value set by socket.io for this option is false, so whether you commented it or not it will stay false and thus allow the connection. The only way to block these connections is to specify it as true, thus overwriting the default value |
This was fixed in socketio/engine.io-client@beb7090, included in Documentation: https://socket.io/docs/v3/client-initialization/#Node-js-specific-options |
You want to:
Current behaviour
I'm using a self-signed certificate. If I connect with a browser I'm warned about this and have to add an exception. If I use another instance of nodejs (no browser) to connect to the server, it connects fine. Only if I add rejectUnauthorized: true will it fail to connect.
Steps to reproduce (if the current behaviour is a bug)
Server:
Client:
Expected behaviour
I'd expect it to fail to connect with a self-signed certificate unless I set/uncomment rejectUnauthorized: false. Otherwise am I not susceptible to a man-in-the-middle attack?
Setup
Other information (e.g. stacktraces, related issues, suggestions how to fix)
The text was updated successfully, but these errors were encountered: