tls_wrap: use localhost if options.host is empty #1493
Conversation
tls.connect(options) with no options.host should accept a certificate with CN: 'localhost'. Fix Error: Hostname/IP doesn't match certificate's altnames: "Host: undefined. is not cert's CN: localhost" 'localhost' is not added directly to defaults because that is not always desired (for example, when using options.socket) See #1489
| @@ -858,7 +858,8 @@ exports.connect = function(/* [port, host], options, cb */) { | |||
|
|
|||
| var hostname = options.servername || | |||
| options.host || | |||
| options.socket && options.socket._host, | |||
| options.socket && options.socket._host || | |||
There was a problem hiding this comment.
Don't these need to be in parenthesis? Otherwise it will overlap, no?
There was a problem hiding this comment.
I don't think they will overlap, but it's much better with () for sure
There was a problem hiding this comment.
No, Boolean logic defines and at higher precedence than or. So does JavaScript. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Operator_Precedence
There was a problem hiding this comment.
It is unnecessary, as @kkoopa said: && has higher precedence. I just added the ( ) to make the intent clearer to the eye, since the precendence is not obvious.
What's the recommended style for this situation?
There was a problem hiding this comment.
Generally we prefer shorter I think, but no harm in adding a few clarity parens, I'd say.
| ca: cert, | ||
| // No host set here. 'localhost' is the default, | ||
| // but tls.checkServerIdentity() breaks before the fix with: | ||
| // Error: Hostname/IP doesn't match certificate's altnames: "Host: undefined. is not cert's CN: localhost" |
There was a problem hiding this comment.
wrap at 80 columns please :)
| }, function () { | ||
| console.log('OK'); | ||
| process.exit(); | ||
| }); |
There was a problem hiding this comment.
Could you add a terminating newline here so we don't get annoying diff changes later?
|
Sorry for the style inconsistencies. Can someone else confirm this patch fixes the problem? |
| @@ -858,7 +858,8 @@ exports.connect = function(/* [port, host], options, cb */) { | |||
|
|
|||
| var hostname = options.servername || | |||
| options.host || | |||
| options.socket && options.socket._host, | |||
| (options.socket && options.socket._host) || | |||
There was a problem hiding this comment.
Parens should be unnecessary here.
|
The patch works, but I'd prefer the test itself to be silent on success, I'd suggest this change: diff --git a/test/parallel/test-tls-connect-no-host.js b/test/parallel/test-tls-connect-no-host.js
index 1740b24..41aac1a 100644
--- a/test/parallel/test-tls-connect-no-host.js
+++ b/test/parallel/test-tls-connect-no-host.js
@@ -6,6 +6,7 @@ if (!common.hasCrypto) {
}
var tls = require('tls');
+var assert = require('assert');
var fs = require('fs');
var path = require('path');
@@ -20,7 +21,7 @@ tls.createServer({
cert: cert
}).listen(common.PORT);
-tls.connect({
+var socket = tls.connect({
port: common.PORT,
ca: cert,
// No host set here. 'localhost' is the default,
@@ -28,6 +29,6 @@ tls.connect({
// Error: Hostname/IP doesn't match certificate's altnames:
// "Host: undefined. is not cert's CN: localhost"
}, function() {
- console.log('OK');
+ assert(socket.authorized);
process.exit();
}); |
|
Otherwise, LGTM |
|
Thanks for the suggestions @silverwind Should I squash all fix commits into the initial one? |
|
You don't have to worry about that, a collaborator will do it when they |
|
I'll do it for you in this case, everything looks fine. Will merge later today. |
|
This LGTM too. |
tls.connect(options) with no options.host should accept a certificate with CN: 'localhost'. Fix Error: Hostname/IP doesn't match certificate's altnames: "Host: undefined. is not cert's CN: localhost" 'localhost' is not added directly to defaults because that is not always desired (for example, when using options.socket) PR-URL: #1493 Fixes: #1489 Reviewed-By: Brendan Ashworth <[email protected]> Reviewed-By: Roman Reiss <[email protected]>
|
Thanks! Merged in a7d7463 |
tls.connect(options) with no options.host should accept a certificate with CN: 'localhost'. Fix Error: Hostname/IP doesn't match certificate's altnames: "Host: undefined. is not cert's CN: localhost" 'localhost' is not added directly to defaults because that is not always desired (for example, when using options.socket) PR-URL: nodejs#1493 Fixes: nodejs#1489 Reviewed-By: Brendan Ashworth <[email protected]> Reviewed-By: Roman Reiss <[email protected]>
tls.connect(options) with no options.host should accept a certificate with CN: 'localhost'. Fix Error: Hostname/IP doesn't match certificate's altnames: "Host: undefined. is not cert's CN: localhost" 'localhost' is not added directly to defaults because that is not always desired (for example, when using options.socket) PR-URL: nodejs#1493 PORT-PR-URL: nodejs#1560 PORT-FROM: v2.x / a7d7463 Fixes: nodejs#1489 Reviewed-By: Brendan Ashworth <[email protected]> Reviewed-By: Roman Reiss <[email protected]>
That's my PR for #1489. Thanks @Fishrock123 for the actual fix idea
cc: @silverwind @Fishrock123
This is my first PR here, I would really appreciate a careful review ;)