Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nodejs/node.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorTobias Nießen <tniessen@tnie.de>2022-01-17 17:35:47 +0300
committerTobias Nießen <tniessen@tnie.de>2022-01-19 18:05:32 +0300
commitda1b59fc1388f8bffab870d80efa96db49439b6e (patch)
tree409222019979fd5de213d7f55c3418fed56141bb /test
parent119519e1da2be1f180e8d66bd0bb79403624ea73 (diff)
crypto: support RFC 2818 compatible checkHost
The 'subject' option should not only accept the values 'always' and 'never' because neither is compatible with RFC 2818, i.e., HTTPS. This change adds a third value 'default', which implies the behavior that HTTPS mandates. The new 'default' case matches the default behavior of OpenSSL for both DNS names and email addresses. Future Node.js versions should change the default option value from 'always' to 'default'. Refs: https://github.com/nodejs/node/pull/36804 PR-URL: https://github.com/nodejs/node/pull/41569 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Diffstat (limited to 'test')
-rw-r--r--test/parallel/test-x509-escaping.js18
1 files changed, 18 insertions, 0 deletions
diff --git a/test/parallel/test-x509-escaping.js b/test/parallel/test-x509-escaping.js
index 4c05e2bdb73..58524e06a6e 100644
--- a/test/parallel/test-x509-escaping.js
+++ b/test/parallel/test-x509-escaping.js
@@ -424,6 +424,15 @@ const { hasOpenSSL3 } = common;
assert.strictEqual(certX509.subject, `CN=${servername}`);
assert.strictEqual(certX509.subjectAltName, 'DNS:evil.example.com');
+ // The newer X509Certificate API allows customizing this behavior:
+ assert.strictEqual(certX509.checkHost(servername), servername);
+ assert.strictEqual(certX509.checkHost(servername, { subject: 'default' }),
+ undefined);
+ assert.strictEqual(certX509.checkHost(servername, { subject: 'always' }),
+ servername);
+ assert.strictEqual(certX509.checkHost(servername, { subject: 'never' }),
+ undefined);
+
// Try connecting to a server that uses the self-signed certificate.
const server = tls.createServer({ key, cert }, common.mustNotCall());
server.listen(common.mustCall(() => {
@@ -454,6 +463,15 @@ const { hasOpenSSL3 } = common;
assert.strictEqual(certX509.subject, `CN=${servername}`);
assert.strictEqual(certX509.subjectAltName, 'IP Address:1.2.3.4');
+ // The newer X509Certificate API allows customizing this behavior:
+ assert.strictEqual(certX509.checkHost(servername), servername);
+ assert.strictEqual(certX509.checkHost(servername, { subject: 'default' }),
+ servername);
+ assert.strictEqual(certX509.checkHost(servername, { subject: 'always' }),
+ servername);
+ assert.strictEqual(certX509.checkHost(servername, { subject: 'never' }),
+ undefined);
+
// Connect to a server that uses the self-signed certificate.
const server = tls.createServer({ key, cert }, common.mustCall((socket) => {
socket.destroy();
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-21 19:44:20 +0300