From 22ffa311deb47bde273e284be2a0e0111a40180d Mon Sep 17 00:00:00 2001 From: ghaiklor Date: Sun, 27 Mar 2016 16:09:08 +0300 Subject: [PATCH 1/5] tls: rejectUnauthorized is treated to true by default tls.connect treats rejectUnauthorized as a false value, when we need to treat it only when rejectUnauthorized is really set to false --- lib/_tls_wrap.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index e1767c5e672370..d502a580d8d914 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -1062,7 +1062,7 @@ exports.connect = function(...args /* [port,] [host,] [options,] [cb] */) { secureContext: context, isServer: false, requestCert: true, - rejectUnauthorized: options.rejectUnauthorized, + rejectUnauthorized: options.rejectUnauthorized !== false, session: options.session, NPNProtocols: NPN.NPNProtocols, ALPNProtocols: ALPN.ALPNProtocols, From 1575739abd1f71f40ad63b353a1025e45b642694 Mon Sep 17 00:00:00 2001 From: ghaiklor Date: Sun, 27 Mar 2016 16:38:23 +0300 Subject: [PATCH 2/5] tls: change default values in createServer() requestCert is false by default, rejectUnauthorized is true by default. --- lib/_tls_wrap.js | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index d502a580d8d914..288f82e05b3d12 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -920,17 +920,8 @@ Server.prototype.setTicketKeys = function setTicketKeys(keys) { Server.prototype.setOptions = function(options) { - if (typeof options.requestCert === 'boolean') { - this.requestCert = options.requestCert; - } else { - this.requestCert = false; - } - - if (typeof options.rejectUnauthorized === 'boolean') { - this.rejectUnauthorized = options.rejectUnauthorized; - } else { - this.rejectUnauthorized = false; - } + this.requestCert = options.requestCert === true; + this.rejectUnauthorized = options.rejectUnauthorized !== false; if (options.pfx) this.pfx = options.pfx; if (options.key) this.key = options.key; From f975376e7ec1110d74f1844b60c07b100fda4d1c Mon Sep 17 00:00:00 2001 From: ghaiklor Date: Sun, 27 Mar 2016 16:51:45 +0300 Subject: [PATCH 3/5] tls: fix tests The problem here is old behaviour of rejectUnauthorized. With previous implementation you could treat undefined as false. After this bevahiour was fixed, we need to explicitly set to false. --- test/parallel/test-https-foafssl.js | 3 ++- test/parallel/test-tls-session-cache.js | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/test/parallel/test-https-foafssl.js b/test/parallel/test-https-foafssl.js index 8b711b81fee566..661b1961527ef5 100644 --- a/test/parallel/test-https-foafssl.js +++ b/test/parallel/test-https-foafssl.js @@ -42,7 +42,8 @@ const https = require('https'); const options = { key: fs.readFileSync(common.fixturesDir + '/agent.key'), cert: fs.readFileSync(common.fixturesDir + '/agent.crt'), - requestCert: true + requestCert: true, + rejectUnauthorized: false }; const modulus = 'A6F44A9C25791431214F5C87AF9E040177A8BB89AC803F7E09BBC3A5519F' + diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js index f555da842bbd0c..887c36d4c5b427 100644 --- a/test/parallel/test-tls-session-cache.js +++ b/test/parallel/test-tls-session-cache.js @@ -56,7 +56,8 @@ function doTest(testOptions, callback) { key: key, cert: cert, ca: [cert], - requestCert: true + requestCert: true, + rejectUnauthorized: false }; let requestCount = 0; let resumeCount = 0; From be35f5a85b0dfa5d10873fbc9f070c824804fb2d Mon Sep 17 00:00:00 2001 From: Eugene Obrezkov Date: Mon, 20 Mar 2017 18:54:03 +0200 Subject: [PATCH 4/5] docs: update tls section Updates docs in all rejectUnauthorized flags. With this PR it defaults to true instead false. --- doc/api/tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 94281dd3f00c28..d8a7d281bded2f 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1014,7 +1014,7 @@ changes: `false`. * `rejectUnauthorized` {boolean} If `true` the server will reject any connection which is not authorized with the list of supplied CAs. This - option only has an effect if `requestCert` is `true`. Defaults to `false`. + option only has an effect if `requestCert` is `true`. Defaults to `true`. * `NPNProtocols` {string[]|Buffer} An array of strings or a `Buffer` naming possible NPN protocols. (Protocols should be ordered by their priority.) * `ALPNProtocols` {string[]|Buffer} An array of strings or a `Buffer` naming From 567bf44728046d37c58465309896c4da35d7fc26 Mon Sep 17 00:00:00 2001 From: Eugene Obrezkov Date: Thu, 23 Mar 2017 10:21:55 +0200 Subject: [PATCH 5/5] docs: update description to rejectUnauthorized options --- doc/api/tls.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index d8a7d281bded2f..468a1b4eb8ab53 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -712,7 +712,10 @@ added: v0.11.8 --> * `options` {Object} - * `rejectUnauthorized` {boolean} + * `rejectUnauthorized` {boolean} If not `false`, the server certificate is verified + against the list of supplied CAs. An `'error'` event is emitted if + verification fails; `err.code` contains the OpenSSL error code. Defaults to + `true`. * `requestCert` * `callback` {Function} A function that will be called when the renegotiation request has been completed. @@ -769,7 +772,7 @@ changes: connection/disconnection/destruction of `socket` is the user's responsibility, calling `tls.connect()` will not cause `net.connect()` to be called. - * `rejectUnauthorized` {boolean} If `true`, the server certificate is verified + * `rejectUnauthorized` {boolean} If not `false`, the server certificate is verified against the list of supplied CAs. An `'error'` event is emitted if verification fails; `err.code` contains the OpenSSL error code. Defaults to `true`. @@ -1012,7 +1015,7 @@ changes: * `requestCert` {boolean} If `true` the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to `false`. - * `rejectUnauthorized` {boolean} If `true` the server will reject any + * `rejectUnauthorized` {boolean} If not `false` the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if `requestCert` is `true`. Defaults to `true`. * `NPNProtocols` {string[]|Buffer} An array of strings or a `Buffer` naming @@ -1190,9 +1193,8 @@ changes: opened as a server. * `requestCert` {boolean} `true` to specify whether a server should request a certificate from a connecting client. Only applies when `isServer` is `true`. -* `rejectUnauthorized` {boolean} `true` to specify whether a server should - automatically reject clients with invalid certificates. Only applies when - `isServer` is `true`. +* `rejectUnauthorized` {boolean} If not `false` a server automatically reject clients + with invalid certificates. Only applies when `isServer` is `true`. * `options` * `secureContext`: An optional TLS context object from [`tls.createSecureContext()`][]