diff options
author | ghaiklor <ghaiklor@gmail.com> | 2016-03-27 16:09:08 +0300 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2017-03-23 13:27:56 -0700 |
commit | 348cc80a3cbf0f4271ed30418c6ed661bdeede7b (patch) | |
tree | bea162fc8348e8812d9fec540c3f9bea8013c5ee /lib | |
parent | ee19e2923acc806fc37cabceb03460fb88c95def (diff) | |
download | android-node-v8-348cc80a3cbf0f4271ed30418c6ed661bdeede7b.tar.gz android-node-v8-348cc80a3cbf0f4271ed30418c6ed661bdeede7b.tar.bz2 android-node-v8-348cc80a3cbf0f4271ed30418c6ed661bdeede7b.zip |
tls: make rejectUnauthorized default to true
rejectUnauthorized used to be false when the property was undefined or
null, quietly allowing client connections for which certificates have
been requested (requestCert is true) even when the client certificate
was not authorized (signed by a trusted CA). Change this so
rejectUnauthorized is always true unless it is explicitly set to false.
PR-URL: https://github.com/nodejs/node/pull/5923
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/_tls_wrap.js | 15 |
1 files changed, 3 insertions, 12 deletions
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index e1767c5e67..288f82e05b 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -920,17 +920,8 @@ Server.prototype.setTicketKeys = function setTicketKeys(keys) { Server.prototype.setOptions = function(options) { - if (typeof options.requestCert === 'boolean') { - this.requestCert = options.requestCert; - } else { - this.requestCert = false; - } - - if (typeof options.rejectUnauthorized === 'boolean') { - this.rejectUnauthorized = options.rejectUnauthorized; - } else { - this.rejectUnauthorized = false; - } + this.requestCert = options.requestCert === true; + this.rejectUnauthorized = options.rejectUnauthorized !== false; if (options.pfx) this.pfx = options.pfx; if (options.key) this.key = options.key; @@ -1062,7 +1053,7 @@ exports.connect = function(...args /* [port,] [host,] [options,] [cb] */) { secureContext: context, isServer: false, requestCert: true, - rejectUnauthorized: options.rejectUnauthorized, + rejectUnauthorized: options.rejectUnauthorized !== false, session: options.session, NPNProtocols: NPN.NPNProtocols, ALPNProtocols: ALPN.ALPNProtocols, |