diff options
author | Jason Macgowan <jason.macgowan@icloud.com> | 2018-09-17 11:31:24 -0400 |
---|---|---|
committer | Anna Henningsen <anna@addaleax.net> | 2019-11-29 02:13:41 +0100 |
commit | ff48009fefcecedfee2c6ff1719e5be3f6969049 (patch) | |
tree | 35569fdfbf003b65497a4260e10f83688c5cac16 /lib | |
parent | 3e79c004fdb93d01618fd90f0df934ac12c62353 (diff) | |
download | android-node-v8-ff48009fefcecedfee2c6ff1719e5be3f6969049.tar.gz android-node-v8-ff48009fefcecedfee2c6ff1719e5be3f6969049.tar.bz2 android-node-v8-ff48009fefcecedfee2c6ff1719e5be3f6969049.zip |
tls: allow empty subject even with altNames defined
Behavior described in https://github.com/nodejs/node/issues/11771
is still true even though the issue is closed.
This PR is to allow DNS and URI names, even when there is not a subject.
Refs: https://github.com/nodejs/node/issues/11771
PR-URL: https://github.com/nodejs/node/pull/22906
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/tls.js | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/lib/tls.js b/lib/tls.js index 0fec451c2b..281de073c4 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -248,19 +248,28 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { let valid = false; let reason = 'Unknown reason'; + const hasAltNames = + dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0; + + hostname = unfqdn(hostname); // Remove trailing dot for error messages. + if (net.isIP(hostname)) { valid = ips.includes(canonicalizeIP(hostname)); if (!valid) reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`; // TODO(bnoordhuis) Also check URI SANs that are IP addresses. - } else if (subject) { - hostname = unfqdn(hostname); // Remove trailing dot for error messages. + } else if (hasAltNames || subject) { const hostParts = splitHost(hostname); const wildcard = (pattern) => check(hostParts, pattern, true); - const noWildcard = (pattern) => check(hostParts, pattern, false); - // Match against Common Name only if no supported identifiers are present. - if (dnsNames.length === 0 && ips.length === 0 && uriNames.length === 0) { + if (hasAltNames) { + const noWildcard = (pattern) => check(hostParts, pattern, false); + valid = dnsNames.some(wildcard) || uriNames.some(noWildcard); + if (!valid) + reason = + `Host: ${hostname}. is not in the cert's altnames: ${altNames}`; + } else { + // Match against Common Name only if no supported identifiers exist. const cn = subject.CN; if (ArrayIsArray(cn)) @@ -270,11 +279,6 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { if (!valid) reason = `Host: ${hostname}. is not cert's CN: ${cn}`; - } else { - valid = dnsNames.some(wildcard) || uriNames.some(noWildcard); - if (!valid) - reason = - `Host: ${hostname}. is not in the cert's altnames: ${altNames}`; } } else { reason = 'Cert is empty'; |