Skip to content

Commit

Permalink
tls_wrap: use localhost if options.host is empty
Browse files Browse the repository at this point in the history
tls.connect(options) with no options.host should accept a certificate
with CN: 'localhost'. Fix Error: Hostname/IP doesn't match
certificate's altnames: "Host: undefined. is not cert's CN: localhost"

'localhost' is not added directly to defaults because that is not
always desired (for example, when using options.socket)

PR-URL: #1493
Fixes: #1489
Reviewed-By: Brendan Ashworth <[email protected]>
Reviewed-By: Roman Reiss <[email protected]>
  • Loading branch information
sitegui authored and silverwind committed Apr 23, 2015
1 parent 22aafa5 commit a7d7463
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/_tls_wrap.js
Original file line number Diff line number Diff line change
Expand Up @@ -858,7 +858,8 @@ exports.connect = function(/* [port, host], options, cb */) {

var hostname = options.servername ||
options.host ||
options.socket && options.socket._host,
(options.socket && options.socket._host) ||
'localhost',
NPN = {},
context = tls.createSecureContext(options);
tls.convertNPNProtocols(options.NPNProtocols, NPN);
Expand Down
34 changes: 34 additions & 0 deletions test/parallel/test-tls-connect-no-host.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
var common = require('../common');

if (!common.hasCrypto) {
console.log('1..0 # Skipped: missing crypto');
process.exit();
}
var tls = require('tls');

var assert = require('assert');
var fs = require('fs');
var path = require('path');

var cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
var key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));

// https://github.com/iojs/io.js/issues/1489
// tls.connect(options) with no options.host should accept a cert with
// CN:'localhost'
tls.createServer({
key: key,
cert: cert
}).listen(common.PORT);

var socket = tls.connect({
port: common.PORT,
ca: cert,
// No host set here. 'localhost' is the default,
// but tls.checkServerIdentity() breaks before the fix with:
// Error: Hostname/IP doesn't match certificate's altnames:
// "Host: undefined. is not cert's CN: localhost"
}, function() {
assert(socket.authorized);
process.exit();
});

0 comments on commit a7d7463

Please sign in to comment.