-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls requires a subject even when altNames are defined #11771
Comments
The logic in I think the real bug is in diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index 56baf7b..0e06714 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -148,11 +148,11 @@ exports.translatePeerCertificate = function translatePeerCertificate(c) {
if (!c)
return null;
- if (c.issuer) c.issuer = tls.parseCertString(c.issuer);
- if (c.issuerCertificate && c.issuerCertificate !== c) {
+ if (c.issuer != null) c.issuer = tls.parseCertString(c.issuer);
+ if (c.issuerCertificate != null && c.issuerCertificate !== c) {
c.issuerCertificate = translatePeerCertificate(c.issuerCertificate);
}
- if (c.subject) c.subject = tls.parseCertString(c.subject);
+ if (c.subject != null) c.subject = tls.parseCertString(c.subject);
if (c.infoAccess) {
var info = c.infoAccess;
c.infoAccess = {}; cc @indutny since you wrote that code. |
Node.js default verification does not consider the possibility of an empty subjects ([issue](nodejs/node#11771)). In somce cases Windows Active Directory will use certificates with empty subjects, see this [article](https://blogs.technet.microsoft.com/askds/2008/09/16/third-party-application-fails-using-ldap-over-ssl/) for details, making necessary that the connector supports them to use `ldaps`. This change adds a new configuration option `SSL_ENABLE_EMPTY_SUBJECT` that enables using a patched verification for the server identity that allows using certificates with empty subject. We want to avoid modifying the default behaviour unless required so this flag defaults to `false` and can be enabled when required.
is two months of no activity enough to warrant pinging this? |
Absolutely good idea to ping us. Thank you 😉 |
Just checking in after a further two months -- is there any plan to meet the RFC or should package owners plan on passing their own authentication function like auth0 did? |
@indutny The question was more if you think #11771 (comment) is a proper fix. |
Looking at this further, this actually affects a significant number of packages, and I would recommend that it be treated as a bug. @bnoordhuis -- want to submit your fix as a pull request? |
Also issuerCertificate but that did not fit on the status line. Fixes: nodejs#11771
Also issuerCertificate but that did not fit on the status line. Fixes: #11771 PR-URL: #14473 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Also issuerCertificate but that did not fit on the status line. Fixes: #11771 PR-URL: #14473 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Great! This issue has given me headaches. Since this is committed to version 9, which is not LTS yet, would you consider to merge it to version 8? |
Nevermind, I see it was already merged, sorry |
The fix @bnoordhuis supplied didn't seem to change the behavior to adhere to RFC 5280. #22906 fixes the issue for me. |
This issue should be re-opened, per the last comment. |
I'm going to reopen this until #22906 lands |
例) Node.js tls requires a subject even when altNames are defined · Issue #11771 · nodejs/node nodejs/node#11771
例) Node.js tls requires a subject even when altNames are defined · Issue #11771 · nodejs/node nodejs/node#11771
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
That has happened now, closing again :) |
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
I personally ran issue an issue with a bug in Node TLS handling (nodejs/node#11771). This bug was fixed in approximately 12.14.0, and does not show up when I test with v12.22.10, the latest v12 release at the time of this commit. (Issue306)[skooner-k8s#306] Test Plan: Built image locally, deployed to microk8s cluster. No longer experiencing issue with parsing TLS certs. Signed-off-by: Cullen Walsh <[email protected]>
I personally ran issue an issue with a bug in Node TLS handling (nodejs/node#11771). This bug was fixed in approximately 12.14.0, and does not show up when I test with v12.22.10, the latest v12 release at the time of this commit. skooner-k8s#306 Test Plan: Built image locally, deployed to microk8s cluster. No longer experiencing issue with parsing TLS certs. Signed-off-by: Cullen Walsh <[email protected]>
Behavior described in nodejs/node#11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: nodejs/node#11771
When using TLS
checkServerIdentity
is using only subject to determine if a certificate is empty or notnode/lib/tls.js
Line 172 in a2ae089
RFC 5280 allows for a certificate to have only altNames and an empty subject. The existing code already considers altName a priority and uses any supported altNames, if present, instead of the subject.
Although subject empty certificates are not common Windows uses them in their infrastructure so improving this check will simplify integration with systems using certificates with empty subjects.
The text was updated successfully, but these errors were encountered: