tls, https: validate server certificate by default

This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.

1 files changed, 19 insertions, 4 deletions

diff --git a/lib/https.js b/lib/https.js
index a243b2bc2e..bc4e8eeea0 100644
--- a/lib/https.js
+++ b/lib/https.js
@@ -21,6 +21,7 @@
 
 var tls = require('tls');
 var http = require('http');
+var util = require('util');
 var url = require('url');
 var inherits = require('util').inherits;
 
@@ -97,11 +98,25 @@ exports.request = function(options, cb) {
     throw new Error('Protocol:' + options.protocol + ' not supported.');
   }
 
-  if (options.agent === undefined) {
-    options.agent = globalAgent;
+  options = util._extend({
+    createConnection: createConnection,
+    defaultPort: 443
+  }, options);
+
+  if (typeof options.agent === 'undefined') {
+    if (typeof options.ca === 'undefined' &&
+        typeof options.cert === 'undefined' &&
+        typeof options.ciphers === 'undefined' &&
+        typeof options.key === 'undefined' &&
+        typeof options.passphrase === 'undefined' &&
+        typeof options.pfx === 'undefined' &&
+        typeof options.rejectUnauthorized === 'undefined') {
+      options.agent = globalAgent;
+    } else {
+      options.agent = new Agent(options);
+    }
   }
-  options.createConnection = createConnection;
-  options.defaultPort = options.defaultPort || 443;
+
   return new http.ClientRequest(options, cb);
 };