Skip to content

Commit

Permalink
tls: emit a warning when servername is an IP address
Browse files Browse the repository at this point in the history
Setting the TLS ServerName to an IP address is not permitted by
RFC6066. This will be ignored in a future version.

Closes: nodejs#18071
Refs: nodejs#18127
  • Loading branch information
oyyd committed Oct 28, 2018
1 parent 1d253f8 commit 3b3dd7c
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 3 deletions.
15 changes: 15 additions & 0 deletions doc/api/deprecations.md
Original file line number Diff line number Diff line change
Expand Up @@ -2293,6 +2293,20 @@ Type: Runtime
Please use `Server.prototype.setSecureContext()` instead.
<a id="DEP00XX"></a>
### DEP00XX: setting the TLS ServerName to an IP address
<!-- YAML
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/REPLACEME
description: Runtime deprecation.
-->
Type: Runtime
Setting the TLS ServerName to an IP address is not permitted by
[RFC 6066][]. This will be ignored in a future version.
[`--pending-deprecation`]: cli.html#cli_pending_deprecation
[`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
[`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array
Expand Down Expand Up @@ -2393,3 +2407,4 @@ Please use `Server.prototype.setSecureContext()` instead.
[legacy `urlObject`]: url.html#url_legacy_urlobject
[NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
[WHATWG URL API]: url.html#url_the_whatwg_url_api
[RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
7 changes: 4 additions & 3 deletions lib/_tls_wrap.js
Original file line number Diff line number Diff line change
Expand Up @@ -1235,9 +1235,10 @@ exports.connect = function connect(...args) {
if (options.servername) {
if (!ipServernameWarned && net.isIP(options.servername)) {
process.emitWarning(
'Setting the TLS ServerName to an IP address is not supported by ' +
'RFC6066. This will be ignored in a future version.',
'UnsupportedWarning'
'Setting the TLS ServerName to an IP address is not permitted by ' +
'RFC 6066. This will be ignored in a future version.',
'DeprecationWarning',
'DEP00XX'
);
ipServernameWarned = true;
}
Expand Down
41 changes: 41 additions & 0 deletions test/parallel/test-tls-ip-servername-deprecation.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
'use strict';

const common = require('../common');
const fixtures = require('../common/fixtures');

if (!common.hasCrypto)
common.skip('missing crypto');

const tls = require('tls');

// This test expects `tls.connect()` to emit a warning when
// `servername` of options is an IP address.
common.expectWarning(
'DeprecationWarning',
'Setting the TLS ServerName to an IP address is not permitted by ' +
'RFC 6066. This will be ignored in a future version.',
'DEP00XX'
);

{
const options = {
key: fixtures.readKey('agent1-key.pem'),
cert: fixtures.readKey('agent1-cert.pem')
};

const server = tls.createServer(options, function(s) {
s.end('hello');
}).listen(0, function() {
const client = tls.connect({
port: this.address().port,
rejectUnauthorized: false,
servername: '127.0.0.1',
}, function() {
client.end();
});
});

server.on('connection', common.mustCall(function(socket) {
server.close();
}));
}

0 comments on commit 3b3dd7c

Please sign in to comment.