daohualiuxiang
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: Re-enable check of CN-ID in cert verification 

RFC 6125 explicitly states that a client "MUST NOT seek a match
for a reference identifier of CN-ID if the presented identifiers
include a DNS-ID, SRV-ID, URI-ID, or any application-specific
identifier types supported by the client", but it MAY do so if
none of the mentioned identifier types (but others) are present.
pull/5010/head
Tobias Müllerleile 2013-04-04 22:10:53 +03:00 committed by Fedor Indutny
parent bd0d45818e
commit 4108c31293
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/tls.js
View File

@ -140,7 +140,6 @@ function checkServerIdentity(host, cert) {
// //
// Walk through altnames and generate lists of those names // Walk through altnames and generate lists of those names
if (cert.subjectaltname) { if (cert.subjectaltname) {
matchCN = false;
cert.subjectaltname.split(/, /g).forEach(function(altname) { cert.subjectaltname.split(/, /g).forEach(function(altname) {
if (/^DNS:/.test(altname)) { if (/^DNS:/.test(altname)) {
dnsNames.push(altname.slice(4)); dnsNames.push(altname.slice(4));
@ -178,7 +177,8 @@ function checkServerIdentity(host, cert) {
if (dnsNames.length > 0) matchCN = false; if (dnsNames.length > 0) matchCN = false;
// Match against Common Name (CN) only if altnames are not present. // Match against Common Name (CN) only if no supported identifiers are
// present.
// //
// "As noted, a client MUST NOT seek a match for a reference identifier // "As noted, a client MUST NOT seek a match for a reference identifier
// of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, // of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,