diff options
author | Fedor Indutny <fedor@indutny.com> | 2014-04-14 20:08:38 +0400 |
---|---|---|
committer | Fedor Indutny <fedor@indutny.com> | 2014-07-03 00:41:39 +0400 |
commit | e34525356201654bfe35b4bb7edec6f5b47b6374 (patch) | |
tree | 24ec43028e4804b6e85b586f8a036b278c3139d0 /lib/tls.js | |
parent | ae1e325e8a3f05bb17959ec507664e2d06588327 (diff) | |
download | android-node-v8-e34525356201654bfe35b4bb7edec6f5b47b6374.tar.gz android-node-v8-e34525356201654bfe35b4bb7edec6f5b47b6374.tar.bz2 android-node-v8-e34525356201654bfe35b4bb7edec6f5b47b6374.zip |
tls: better error reporting at cert validation
fix #7417
Signed-off-by: Fedor Indutny <fedor@indutny.com>
Diffstat (limited to 'lib/tls.js')
-rw-r--r-- | lib/tls.js | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/lib/tls.js b/lib/tls.js index 9345632353..b698cc11e9 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -113,7 +113,8 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { uriNames = [], ips = [], matchCN = true, - valid = false; + valid = false, + reason = 'Unknown reason'; // There're several names to perform check against: // CN and altnames in certificate extension @@ -142,6 +143,11 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { valid = ips.some(function(ip) { return ip === host; }); + if (!valid) { + reason = util.format('IP: %s is not in the cert\'s list: %s', + host, + ips.join(', ')); + } } else { // Transform hostname to canonical form if (!/\.$/.test(host)) host += '.'; @@ -183,9 +189,29 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { valid = dnsNames.some(function(re) { return re.test(host); }); + + if (!valid) { + if (cert.subjectaltname) { + reason = util.format('Host: %s is not in the cert\'s altnames: %s', + host, + cert.subjectaltname); + } else { + reason = util.format('Host: %s is not cert\'s CN: %s', + host, + cert.subject.CN); + } + } } - return valid; + if (!valid) { + var err = new Error( + util.format('Hostname/IP doesn\'t match certificate\'s altnames: %j', + reason)); + err.reason = reason; + err.host = host; + err.cert = cert; + return err; + } }; // Example: |