tls_wrap: use localhost if options.host is empty

tls.connect(options) with no options.host should accept a certificate with CN: 'localhost'. Fix Error: Hostname/IP doesn't match certificate's altnames: "Host: undefined. is not cert's CN: localhost" 'localhost' is not added directly to defaults because that is not always desired (for example, when using options.socket) PR-URL: https://github.com/iojs/io.js/pull/1493 Fixes: https://github.com/iojs/io.js/issues/1489 Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com> Reviewed-By: Roman Reiss <me@silverwind.io>
2015-04-21 18:24:13 -03:00 · 2015-04-21 18:24:13 -03:00 · a7d74633f2
parent 22aafa5597
commit a7d74633f2
2 changed files with 36 additions and 1 deletions
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@ -858,7 +858,8 @@ exports.connect = function(/* [port, host], options, cb */) {

  var hostname = options.servername ||
                 options.host ||
-                 options.socket && options.socket._host,
+                 (options.socket && options.socket._host) ||
+                 'localhost',
      NPN = {},
      context = tls.createSecureContext(options);
  tls.convertNPNProtocols(options.NPNProtocols, NPN);
--- a/test/parallel/test-tls-connect-no-host.js
+++ b/test/parallel/test-tls-connect-no-host.js
@ -0,0 +1,34 @@
+var common = require('../common');
+
+if (!common.hasCrypto) {
+  console.log('1..0 # Skipped: missing crypto');
+  process.exit();
+}
+var tls = require('tls');
+
+var assert = require('assert');
+var fs = require('fs');
+var path = require('path');
+
+var cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+var key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+// https://github.com/iojs/io.js/issues/1489
+// tls.connect(options) with no options.host should accept a cert with
+//   CN:'localhost'
+tls.createServer({
+  key: key,
+  cert: cert
+}).listen(common.PORT);
+
+var socket = tls.connect({
+    port: common.PORT,
+    ca: cert,
+    // No host set here. 'localhost' is the default,
+    // but tls.checkServerIdentity() breaks before the fix with:
+    // Error: Hostname/IP doesn't match certificate's altnames:
+    //   "Host: undefined. is not cert's CN: localhost"
+}, function() {
+    assert(socket.authorized);
+    process.exit();
+});