-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls requires a subject even when altNames are defined #22906
Conversation
@bnoordhuis thoughts? |
@nodejs/crypto ? |
/cc @bnoordhuis is it expected to behave like this after #14473? |
@jasnell Since you approved this … is this ready to be landed? Is it semver-major? |
I'd prefer a look from @nodejs/crypto given the context. It looks fine for me but this particular bit of stuff always can stand more eyes. |
lib/tls.js
Outdated
@@ -204,7 +204,7 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { | |||
if (!valid) | |||
reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`; | |||
// TODO(bnoordhuis) Also check URI SANs that are IP addresses. | |||
} else if (subject) { | |||
} else if (subject || altNames) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 215 is going to throw a TypeError if it tries to read subject.CN
when subject == null
and altNames
does not contain DNS:, IP: or URI: fields.
The logic should be something like } else if (subject || haveAltNames) {
where haveAltNames
is this:
const haveAltNames = dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0;
I'd swap the branches of the if
statement on line 214 so you can write if (haveAltNames) {
- negations are to be avoided when possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have done the opposite: defined const noAltNames
because switching the branches textually from their previous location makes the diff larger, and obscures what is actually being changed, which is much smaller.
@bnoordhuis please review. Thanks! |
lib/tls.js
Outdated
hostname = unfqdn(hostname); // Remove trailing dot for error messages. | ||
const hostParts = splitHost(hostname); | ||
const wildcard = (pattern) => check(hostParts, pattern, true); | ||
const noWildcard = (pattern) => check(hostParts, pattern, false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to move these back inside an if
statement.
unfqdn()
and splitHost()
are somewhat expensive operations that the user shouldn't have to pay for when the other branches are taken.
ping @jasonmacgowan |
@bnoordhuis take 3; please review. Thanks! cc: @sam-github |
It surprised me that the check against a subjectAlternativeName didn't fall back on failure to the However, the domainComponent (if used, its likely uncommon) of the subject does look like it can be checked as a backup to the alt name: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 But... we don't support that. Unrelated to this PR. While I agree in general with Ben's point about negatives in conditionals, in this case I think it causes excessive churn, but I'll leave that to him to comment on. So, just one request: can you please ensure that tests exist with a subject CN, proving that it is disregarded for matching the hostname when when an alt name exists, but only if the altname contains one of the 3 "domainish" attributes? I think that'd be at least two tests. |
Is it cheeky for me to bump this issue. I have been dabbling my feet into nodejs for the first time and I've just fallen foul of the issue myself. My internal CA provider has decided to start using certs with an empty subject line. Could find no way around it so I had to allow unauthorised connections for an LDAPS lookup. Not the end of the world but far from ideal. Keep up the good work! |
@adamrobertbacon check out auth0/ad-ldap-connector@1f4dd2b for a decent work around that doesn't require allowing all certs blindly. |
If it was cheeky for @adamrobertbacon to ping this issue back in April, I suppose it is even more cheeky for me to ping it in late May?? Thanks @jasonmacgowan for this code and a pointer to ad-ldap-connector. It will fit my needs of getting ldapjs to be a client of an Active Directory ldaps server with a default Microsoft self signed certifitate. Said certificate falls exactly into this boat, empty subject, DNS host name as a Subject Alternative Name. Is there a thought as to what is still needed to get this merged? It is unexpected that an admittedly strange but (to my knowledge) standards conformant cert is not supported by the node.js TLS system. Thanks! |
Can we get this approved and merged? This bug is affecting our production environment. |
@sam-github You seem knowledgeable here, do you think you could write the tests you requested and push them here? |
I'd like to, but I just don't have the time. Consider my comment unblocking. |
Squashed and rebased to avoid a merge conflict. |
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Landed in ff48009 🎉 |
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject. Refs: #11771 PR-URL: #22906 Reviewed-By: James M Snell <[email protected]>
Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes