diff options
| author | Tobias Müllerleile <tobias@muellerleile.net> | 2013-04-04 22:10:53 +0300 |
|---|---|---|
| committer | Fedor Indutny <fedor.indutny@gmail.com> | 2013-04-07 22:09:57 +0400 |
| commit | 4108c31293b86f1323ec3d9012cfe8767ba78d00 (patch) | |
| tree | 0308d4c2389fcdfb941b569e848d8291431f9d2d /lib/tls.js | |
| parent | bd0d45818eac78d3bf2c5510373887cbe9c316d8 (diff) | |
| download | android-node-v8-4108c31293b86f1323ec3d9012cfe8767ba78d00.tar.gz android-node-v8-4108c31293b86f1323ec3d9012cfe8767ba78d00.tar.bz2 android-node-v8-4108c31293b86f1323ec3d9012cfe8767ba78d00.zip | |
tls: Re-enable check of CN-ID in cert verification
RFC 6125 explicitly states that a client "MUST NOT seek a match
for a reference identifier of CN-ID if the presented identifiers
include a DNS-ID, SRV-ID, URI-ID, or any application-specific
identifier types supported by the client", but it MAY do so if
none of the mentioned identifier types (but others) are present.
Diffstat (limited to 'lib/tls.js')
| -rw-r--r-- | lib/tls.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/tls.js b/lib/tls.js index 8650041c91..1ff0d5d679 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -140,7 +140,6 @@ function checkServerIdentity(host, cert) { // // Walk through altnames and generate lists of those names if (cert.subjectaltname) { - matchCN = false; cert.subjectaltname.split(/, /g).forEach(function(altname) { if (/^DNS:/.test(altname)) { dnsNames.push(altname.slice(4)); @@ -178,7 +177,8 @@ function checkServerIdentity(host, cert) { if (dnsNames.length > 0) matchCN = false; - // Match against Common Name (CN) only if altnames are not present. + // Match against Common Name (CN) only if no supported identifiers are + // present. // // "As noted, a client MUST NOT seek a match for a reference identifier // of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, |