Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls requires a subject even when altNames are defined #22906

Closed
wants to merge 1 commit into from
Closed

tls requires a subject even when altNames are defined #22906

wants to merge 1 commit into from

Conversation

jasonmacgowan
Copy link

Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added the tls Issues and PRs related to the tls subsystem. label Sep 17, 2018
@jasonmacgowan
Copy link
Author

@bnoordhuis thoughts?

@addaleax
Copy link
Member

@nodejs/crypto ?

@ryzokuken
Copy link
Contributor

/cc @bnoordhuis is it expected to behave like this after #14473?

@addaleax
Copy link
Member

@jasnell Since you approved this … is this ready to be landed? Is it semver-major?

CI: https://ci.nodejs.org/job/node-test-pull-request/17410/

@jasnell
Copy link
Member

jasnell commented Sep 25, 2018

I'd prefer a look from @nodejs/crypto given the context. It looks fine for me but this particular bit of stuff always can stand more eyes.

lib/tls.js Outdated
@@ -204,7 +204,7 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
if (!valid)
reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`;
// TODO(bnoordhuis) Also check URI SANs that are IP addresses.
} else if (subject) {
} else if (subject || altNames) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 215 is going to throw a TypeError if it tries to read subject.CN when subject == null and altNames does not contain DNS:, IP: or URI: fields.

The logic should be something like } else if (subject || haveAltNames) { where haveAltNames is this:

const haveAltNames = dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0;

I'd swap the branches of the if statement on line 214 so you can write if (haveAltNames) { - negations are to be avoided when possible.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have done the opposite: defined const noAltNames because switching the branches textually from their previous location makes the diff larger, and obscures what is actually being changed, which is much smaller.

@jasonmacgowan
Copy link
Author

@bnoordhuis please review. Thanks!

lib/tls.js Outdated
hostname = unfqdn(hostname); // Remove trailing dot for error messages.
const hostParts = splitHost(hostname);
const wildcard = (pattern) => check(hostParts, pattern, true);
const noWildcard = (pattern) => check(hostParts, pattern, false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to move these back inside an if statement.

unfqdn() and splitHost() are somewhat expensive operations that the user shouldn't have to pay for when the other branches are taken.

@sam-github
Copy link
Contributor

ping @jasonmacgowan

@jasonmacgowan
Copy link
Author

@bnoordhuis take 3; please review. Thanks!

cc: @sam-github

@sam-github
Copy link
Contributor

It surprised me that the check against a subjectAlternativeName didn't fall back on failure to the CN attribute of the subject, but I found that is required, at least it is here: https://tools.ietf.org/html/rfc6125#section-6.4.4

However, the domainComponent (if used, its likely uncommon) of the subject does look like it can be checked as a backup to the alt name: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 But... we don't support that. Unrelated to this PR.

While I agree in general with Ben's point about negatives in conditionals, in this case I think it causes excessive churn, but I'll leave that to him to comment on.

So, just one request: can you please ensure that tests exist with a subject CN, proving that it is disregarded for matching the hostname when when an alt name exists, but only if the altname contains one of the 3 "domainish" attributes? I think that'd be at least two tests.

@adamrobertbacon
Copy link

Is it cheeky for me to bump this issue. I have been dabbling my feet into nodejs for the first time and I've just fallen foul of the issue myself. My internal CA provider has decided to start using certs with an empty subject line. Could find no way around it so I had to allow unauthorised connections for an LDAPS lookup. Not the end of the world but far from ideal. Keep up the good work!

@jasonmacgowan
Copy link
Author

@adamrobertbacon check out auth0/ad-ldap-connector@1f4dd2b for a decent work around that doesn't require allowing all certs blindly.

@rajha-korithrien
Copy link

rajha-korithrien commented May 31, 2019

If it was cheeky for @adamrobertbacon to ping this issue back in April, I suppose it is even more cheeky for me to ping it in late May??

Thanks @jasonmacgowan for this code and a pointer to ad-ldap-connector. It will fit my needs of getting ldapjs to be a client of an Active Directory ldaps server with a default Microsoft self signed certifitate. Said certificate falls exactly into this boat, empty subject, DNS host name as a Subject Alternative Name.

Is there a thought as to what is still needed to get this merged? It is unexpected that an admittedly strange but (to my knowledge) standards conformant cert is not supported by the node.js TLS system.

Thanks!

@Monual
Copy link

Monual commented Oct 31, 2019

Can we get this approved and merged? This bug is affecting our production environment.

@addaleax
Copy link
Member

@sam-github You seem knowledgeable here, do you think you could write the tests you requested and push them here?

@nodejs-github-bot
Copy link
Collaborator

@sam-github
Copy link
Contributor

I'd like to, but I just don't have the time. Consider my comment unblocking.

@addaleax addaleax added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 31, 2019
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771
@addaleax
Copy link
Member

Squashed and rebased to avoid a merge conflict.

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

addaleax pushed a commit that referenced this pull request Nov 29, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <[email protected]>
@addaleax
Copy link
Member

Landed in ff48009 🎉

@addaleax addaleax closed this Nov 29, 2019
addaleax pushed a commit that referenced this pull request Nov 30, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <[email protected]>
targos pushed a commit that referenced this pull request Dec 1, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <[email protected]>
@BridgeAR BridgeAR mentioned this pull request Dec 3, 2019
@BethGriggs BethGriggs mentioned this pull request Dec 9, 2019
MylesBorins pushed a commit that referenced this pull request Dec 17, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <[email protected]>
@BethGriggs BethGriggs mentioned this pull request Dec 23, 2019
richardlau pushed a commit that referenced this pull request Jul 1, 2020
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <[email protected]>
@richardlau richardlau mentioned this pull request Jul 2, 2020
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.