diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/tls.js | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/lib/tls.js b/lib/tls.js index 0fec451c2b..281de073c4 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -248,19 +248,28 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { let valid = false; let reason = 'Unknown reason'; + const hasAltNames = + dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0; + + hostname = unfqdn(hostname); // Remove trailing dot for error messages. + if (net.isIP(hostname)) { valid = ips.includes(canonicalizeIP(hostname)); if (!valid) reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`; // TODO(bnoordhuis) Also check URI SANs that are IP addresses. - } else if (subject) { - hostname = unfqdn(hostname); // Remove trailing dot for error messages. + } else if (hasAltNames || subject) { const hostParts = splitHost(hostname); const wildcard = (pattern) => check(hostParts, pattern, true); - const noWildcard = (pattern) => check(hostParts, pattern, false); - // Match against Common Name only if no supported identifiers are present. - if (dnsNames.length === 0 && ips.length === 0 && uriNames.length === 0) { + if (hasAltNames) { + const noWildcard = (pattern) => check(hostParts, pattern, false); + valid = dnsNames.some(wildcard) || uriNames.some(noWildcard); + if (!valid) + reason = + `Host: ${hostname}. is not in the cert's altnames: ${altNames}`; + } else { + // Match against Common Name only if no supported identifiers exist. const cn = subject.CN; if (ArrayIsArray(cn)) @@ -270,11 +279,6 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { if (!valid) reason = `Host: ${hostname}. is not cert's CN: ${cn}`; - } else { - valid = dnsNames.some(wildcard) || uriNames.some(noWildcard); - if (!valid) - reason = - `Host: ${hostname}. is not in the cert's altnames: ${altNames}`; } } else { reason = 'Cert is empty'; |