Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERR_TLS_CERT_ALTNAME_INVALID with dns interceptor and https #3817

Closed
DTrombett opened this issue Nov 8, 2024 · 2 comments · Fixed by #3821
Closed

ERR_TLS_CERT_ALTNAME_INVALID with dns interceptor and https #3817

DTrombett opened this issue Nov 8, 2024 · 2 comments · Fixed by #3821
Labels
bug Something isn't working

Comments

@DTrombett
Copy link
Contributor

DTrombett commented Nov 8, 2024

Bug Description

I am not sure if I misunderstood how the dns interceptor works, but trying to make a simple https request with it, without any option, will fail.

Reproducible By

import { getGlobalDispatcher, interceptors, request } from "undici";

await request("https://example.com", {
	dispatcher: getGlobalDispatcher().compose(interceptors.dns()),
});

Expected Behavior

The request should complete successfully

Logs & Screenshots

Error log
node:internal/modules/run_main:122
    triggerUncaughtException(
    ^

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 93.184.215.14 is not in the cert's list: 
    at Object.checkServerIdentity (node:tls:316:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
    at TLSSocket.emit (node:events:518:28)
    at TLSSocket._finishInit (node:_tls_wrap:1078:8)
    at ssl.onhandshakedone (node:_tls_wrap:864:12) {
  code: 'ERR_TLS_CERT_ALTNAME_INVALID',
  reason: "IP: 93.184.215.14 is not in the cert's list: ",
  host: '93.184.215.14',
  cert: {
    subject: [Object: null prototype] {
      C: 'US',
      ST: 'California',
      L: 'Los Angeles',
      O: 'Internet Corporation for Assigned Names and Numbers',
      CN: 'www.example.org'
    },
    issuer: [Object: null prototype] {
      C: 'US',
      O: 'DigiCert Inc',
      CN: 'DigiCert Global G2 TLS RSA SHA256 2020 CA1'
    },
    subjectaltname: 'DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net',        
    infoAccess: [Object: null prototype] {
      'OCSP - URI': [ 'http://ocsp.digicert.com' ],
      'CA Issuers - URI': [
        'http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt'
      ]
    },
    ca: false,
    modulus: '86850FBB0EF9CA5FD9F5E00A322C33D9AA0E0729A82F08AD78BDC206BFF72D2BA6A7273D53A64CC34BB2277720D6C15449B808DAF970A961F6B2499D6957DAFB6D2434722E47F0043F9DB15BE2BC66315932E6A97EBFD4B0D464F56BCA7BFF725B5E9AD83FD406B2F3C8DC8F665A468466A8181579A708CE053CFB3989EF6DFA4E71527BB7E4A0A49C96C0613DA40A704DC38ECD6EB3326CF2C7440904DDA055FD23A52078B2855ED83BAD17FF85C5B9748D33B9B8576EB5BC6965DB0B3C925599F473B46424CA674C2899CCDC673D79C7169C2BE6ABAAAA357237F6812A48E83F4E199ABF9E46AA3293FFA5B25AB4B12F1E6984921DB0B98DAFF2316C9586F3',
    bits: 2048,
    exponent: '0x10001',
    pubkey: Buffer(294) [Uint8Array] [
       48, 130,   1,  34,  48,  13,   6,   9,  42, 134,  72, 134,
      247,  13,   1,   1,   1,   5,   0,   3, 130,   1,  15,   0,
       48, 130,   1,  10,   2, 130,   1,   1,   0, 134, 133,  15,
      187,  14, 249, 202,  95, 217, 245, 224,  10,  50,  44,  51,
      217, 170,  14,   7,  41, 168,  47,   8, 173, 120, 189, 194,
        6, 191, 247,  45,  43, 166, 167,  39,  61,  83, 166,  76,
      195,  75, 178,  39, 119,  32, 214, 193,  84,  73, 184,   8,
      218, 249, 112, 169,  97, 246, 178,  73, 157, 105,  87, 218,
      251, 109,  36,  52,
      ... 194 more items
    ],
    valid_from: 'Jan 30 00:00:00 2024 GMT',
    valid_to: 'Mar  1 23:59:59 2025 GMT',
    fingerprint: '4D:A2:5A:6D:5E:F6:2C:5F:95:C7:BD:0A:73:EA:3C:17:7B:36:99:9D',
    fingerprint256: 'EF:BA:26:D8:C1:CE:37:79:AC:77:63:0A:90:F8:21:63:A3:D6:89:2E:D6:AF:EE:40:86:72:CF:19:EB:A7:A3:62',
    fingerprint512: '30:D1:93:BF:AB:2B:50:F9:DE:26:6E:D6:4D:AA:8C:DE:20:B6:D5:8C:A2:11:0C:F3:5D:92:31:C8:8C:40:ED:AF:11:05:7D:66:6A:FD:56:50:B7:C0:10:5B:E8:7B:0F:7F:3C:EB:B2:02:F2:69:E7:72:2B:B5:06:82:E6:C4:3D:06',
    ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
    serialNumber: '075BCEF30689C8ADDF13E51AF4AFE187',
    raw: Buffer(1906) [Uint8Array] [
       48, 130,   7, 110,  48, 130,   6,  86, 160,   3,   2,   1,
        2,   2,  16,   7,  91, 206, 243,   6, 137, 200, 173, 223,
       19, 229,  26, 244, 175, 225, 135,  48,  13,   6,   9,  42,
      134,  72, 134, 247,  13,   1,   1,  11,   5,   0,  48,  89,
       49,  11,  48,   9,   6,   3,  85,   4,   6,  19,   2,  85,
       83,  49,  21,  48,  19,   6,   3,  85,   4,  10,  19,  12,
       68, 105, 103, 105,  67, 101, 114, 116,  32,  73, 110,  99,
       49,  51,  48,  49,   6,   3,  85,   4,   3,  19,  42,  68,
      105, 103, 105,  67,
      ... 1806 more items
    ],
    issuerCertificate: {
      subject: [Object: null prototype] {
        C: 'US',
        O: 'DigiCert Inc',
        CN: 'DigiCert Global G2 TLS RSA SHA256 2020 CA1'
      },
      issuer: [Object: null prototype] {
        C: 'US',
        O: 'DigiCert Inc',
        OU: 'www.digicert.com',
        CN: 'DigiCert Global Root G2'
      },
      infoAccess: [Object: null prototype] {
        'OCSP - URI': [ 'http://ocsp.digicert.com' ],
        'CA Issuers - URI': [ 'http://cacerts.digicert.com/DigiCertGlobalRootG2.crt' ]
      },
      ca: true,
      modulus: 'CCF710624FA6BB636FED905256C56D277B7A12568AF1F4F9D6E7E18FBD95ABF260411570DB1200FA270AB557385B7DB2519371950E6A41945B351BFA7BFABBC5BE2430FE56EFC4F37D97E314F5144DCBA710F216EAAB22F031221161699026BA78D9971FE37D66AB75449573C8ACFFEF5D0A8A5943E1ACB23A0FF348FCD76B37C163DCDE46D6DB45FE7D23FD90E851071E51A35FED4946547F2C88C5F4139C97153C03E8A139DC690C32C1AF16574C9447427CA2C89C7DE6D44D54AF4299A8C104C2779CD648E4CE11E02A8099F04370CF3F766BD14C49AB245EC20D82FD46A8AB6C93CC6252427592F89AFA5E5EB2B061E51F1FB97F0998E83DFA837F4769A1',
      bits: 2048,
      exponent: '0x10001',
      pubkey: Buffer(294) [Uint8Array] [
         48, 130,   1,  34,  48,  13,   6,   9,  42, 134,  72, 134,
        247,  13,   1,   1,   1,   5,   0,   3, 130,   1,  15,   0,
         48, 130,   1,  10,   2, 130,   1,   1,   0, 204, 247,  16,
         98,  79, 166, 187,  99, 111, 237, 144,  82,  86, 197, 109,
         39, 123, 122,  18,  86, 138, 241, 244, 249, 214, 231, 225,
        143, 189, 149, 171, 242,  96,  65,  21, 112, 219,  18,   0,
        250,  39,  10, 181,  87,  56,  91, 125, 178,  81, 147, 113,
        149,  14, 106,  65, 148,  91,  53,  27, 250, 123, 250, 187,
        197, 190,  36,  48,
        ... 194 more items
      ],
      valid_from: 'Mar 30 00:00:00 2021 GMT',
      valid_to: 'Mar 29 23:59:59 2031 GMT',
      fingerprint: '1B:51:1A:BE:AD:59:C6:CE:20:70:77:C0:BF:0E:00:43:B1:38:26:12',
      fingerprint256: 'C8:02:5F:9F:C6:5F:DF:C9:5B:3C:A8:CC:78:67:B9:A5:87:B5:27:79:73:95:79:17:46:3F:C8:13:D0:B6:25:A9',
      fingerprint512: '0A:25:C3:C3:36:45:96:51:C6:BE:37:E6:08:D4:5D:20:C5:00:BF:78:8C:71:5A:9D:92:F2:E0:29:FF:8B:E4:8F:A1:ED:0F:76:EC:59:56:F0:F7:FB:C8:3F:3E:75:61:DD:E1:96:9F:B2:8B:C4:2C:A0:75:68:4E:60:F0:A9:23:B3',
      ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
      serialNumber: '0CF5BD062B5602F47AB8502C23CCF066',
      raw: Buffer(1228) [Uint8Array] [
         48, 130,   4, 200,  48, 130,   3, 176, 160,  3,   2,   1,
          2,   2,  16,  12, 245, 189,   6,  43,  86,  2, 244, 122,
        184,  80,  44,  35, 204, 240, 102,  48,  13,  6,   9,  42,
        134,  72, 134, 247,  13,   1,   1,  11,   5,  0,  48,  97,
         49,  11,  48,   9,   6,   3,  85,   4,   6, 19,   2,  85,
         83,  49,  21,  48,  19,   6,   3,  85,   4, 10,  19,  12,
         68, 105, 103, 105,  67, 101, 114, 116,  32, 73, 110,  99,
         49,  25,  48,  23,   6,   3,  85,   4,  11, 19,  16, 119,
        119, 119,  46, 100,
        ... 1128 more items
      ],
      issuerCertificate: <ref *1> {
        subject: [Object: null prototype] {
          C: 'US',
          O: 'DigiCert Inc',
          OU: 'www.digicert.com',
          CN: 'DigiCert Global Root G2'
        },
        issuer: [Object: null prototype] {
          C: 'US',
          O: 'DigiCert Inc',
          OU: 'www.digicert.com',
          CN: 'DigiCert Global Root G2'
        },
        ca: true,
        modulus: 'BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B133832985',
        bits: 2048,
        exponent: '0x10001',
        pubkey: Buffer(294) [Uint8Array] [
           48, 130,   1,  34,  48,  13,   6,   9,  42, 134,  72, 134,
          247,  13,   1,   1,   1,   5,   0,   3, 130,   1,  15,   0,
           48, 130,   1,  10,   2, 130,   1,   1,   0, 187,  55, 205,
           52, 220, 123, 107, 201, 178, 104, 144, 173,  74, 117, 255,
           70, 186,  33,  10,   8, 141, 245,  25,  84, 201, 251, 136,
          219, 243, 174, 242,  58, 137, 145,  60, 122, 230, 171,   6,
           26, 107, 207, 172,  45, 232,  94,   9,  36,  68, 186,  98,
          154, 126, 214, 163, 168, 126, 224,  84, 117,  32,   5, 172,
           80, 183, 156,  99,
          ... 194 more items
        ],
        valid_from: 'Aug  1 12:00:00 2013 GMT',
        valid_to: 'Jan 15 12:00:00 2038 GMT',
        fingerprint: 'DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4',
        fingerprint256: 'CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F',
        fingerprint512: '56:22:20:7E:1B:A2:85:F1:72:75:6F:60:19:AF:92:AC:80:8E:D6:32:86:E2:4D:FE:CC:1E:79:87:3F:B5:D1:40:F1:CE:B7:13:3F:24:76:E8:9A:5F:75:F7:11:F9:81:3A:9F:BB:8F:D5:28:7F:64:AD:FD:CC:53:B8:64:F9:BD:C5',
        serialNumber: '033AF1E6A711A9A0BB2864B11D09FAE5',
        raw: Buffer(914) [Uint8Array] [
           48, 130,   3, 142, 48, 130,   2, 118, 160,   3,   2,   1,
            2,   2,  16,   3, 58, 241, 230, 167,  17, 169, 160, 187,
           40, 100, 177,  29,  9, 250, 229,  48,  13,   6,   9,  42,
          134,  72, 134, 247, 13,   1,   1,  11,   5,   0,  48,  97,
           49,  11,  48,   9,  6,   3,  85,   4,   6,  19,   2,  85,
           83,  49,  21,  48, 19,   6,   3,  85,   4,  10,  19,  12,
           68, 105, 103, 105, 67, 101, 114, 116,  32,  73, 110,  99,
           49,  25,  48,  23,  6,   3,  85,   4,  11,  19,  16, 119,
          119, 119,  46, 100,
          ... 814 more items
        ],
        issuerCertificate: [Circular *1]
      }
    }
  }
}

Environment

undici@7.0.0-alpha.3, Node v22.11.0, Windows 11 Home

Additional context

Tried with any https url and the result is the same. The requests is completed correctly without the interceptor

@DTrombett DTrombett added the bug Something isn't working label Nov 8, 2024
@DTrombett
Copy link
Contributor Author

DTrombett commented Nov 9, 2024

More context: it seems that the DNS interceptor completely erases the origin. Running the same code with process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0', in fact, returns a 404 not found. Other origins instead report that no URL was requested, etc.

Not sure if this is totally expected and I completely misunderstood how and when we're supposed to use it...

Edit: Removing line 357 works

const dispatchOpts = {
...origDispatchOpts,
origin: newOrigin
}

@mcollina
Copy link
Member

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests.

ronag pushed a commit that referenced this issue Nov 20, 2024
* fix(#3817): send servername for SNI on TLS

* fix: set host header to servername

* refactor: attach regardless
metcoder95 added a commit that referenced this issue Nov 21, 2024
* fix(#3817): send servername for SNI on TLS

* fix: set host header to servername

* refactor: attach regardless

(cherry picked from commit b93a834)
mcollina pushed a commit that referenced this issue Nov 22, 2024
* fix(#3817): send servername for SNI on TLS (#3821)

* fix(#3817): send servername for SNI on TLS

* fix: set host header to servername

* refactor: attach regardless

(cherry picked from commit b93a834)

* feat: missing interceptor

* fix: lint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants