-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: get the local certificate after tls handshake #24261
Conversation
* Returns: {Object} | ||
|
||
Returns an object representing the local certificate. The returned object has | ||
some properties corresponding to the fields of the certificate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you be more specific than "some"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty vague, isn't it! ;-) This is the extent of the current documentation for parsed cert objects, unchanged since 0c42fac51596a68a6be02ea537e5ec03f228844b. Its on my list to fix, but for now I'd like to leave as-is. The wording of these docs are close to identical as possible to the docs for https://nodejs.org/api/tls.html#tls_tlssocket_getpeercertificate_detailed. I'm working on a PR to add EC and DH key info to X509ToObject, and I promise to doc the cert format then, and reorganize the docs, since the cert can show up in a handful of APIs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/to @bnoordhuis as promised, #24358
9bb96e6
to
74fa19f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Sam, LGTM.
One thing: you may want to stick in an exports.translatePeerCertificate = exports.translateCertChain
to stop it from being semver-major.
I don't want it to be semver-major, I'll put the original name back. Whats the current way to hide our internal API? Could I move |
Yep. |
ecfe565
to
a8c6016
Compare
ci: https://ci.nodejs.org/job/node-test-pull-request/18588/ James, Anna - thanks for catching the typo. |
Add an API to get the local certificate chosen during TLS handshake from the SSL context. Fix: nodejs#24095
a8c6016
to
f8f571f
Compare
Landed in db35fee |
Add an API to get the local certificate chosen during TLS handshake from the SSL context. Fix: nodejs#24095 PR-URL: nodejs#24261 Fixes: nodejs#24095 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: nodejs#24261 Fixes: https://github.com/nodejs-private/security/issues/217
If this is backported to LTS, it should go with #25490. |
The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: #24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: #25490 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: #24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: #25490 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: nodejs/node#24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: nodejs/node#25490 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Add an API to get the local certificate chosen during TLS handshake from the SSL context. Fix: nodejs#24095 PR-URL: nodejs#24261 Fixes: nodejs#24095 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: nodejs#24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: nodejs#25490 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.
Fix: #24095
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes