Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls requires a subject even when altNames are defined #22906

Closed
wants to merge 1 commit into from
Closed

tls requires a subject even when altNames are defined #22906

wants to merge 1 commit into from

Conversation

@jasonmacgowan
Copy link

@jasonmacgowan jasonmacgowan commented Sep 17, 2018

Behavior described in #11771 is still true even though the issue is closed. This PR is to allow DNS and URI names, even when there is not a subject.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines
@jasonmacgowan
Copy link
Author

@jasonmacgowan jasonmacgowan commented Sep 18, 2018

@bnoordhuis thoughts?

@addaleax
Copy link
Member

@addaleax addaleax commented Sep 22, 2018

@ryzokuken
Copy link
Member

@ryzokuken ryzokuken commented Sep 23, 2018

/cc @bnoordhuis is it expected to behave like this after #14473?

@addaleax
Copy link
Member

@addaleax addaleax commented Sep 24, 2018

@jasnell Since you approved this … is this ready to be landed? Is it semver-major?

CI: https://ci.nodejs.org/job/node-test-pull-request/17410/

@jasnell
Copy link
Member

@jasnell jasnell commented Sep 25, 2018

I'd prefer a look from @nodejs/crypto given the context. It looks fine for me but this particular bit of stuff always can stand more eyes.

@jasnell jasnell requested review from bnoordhuis and shigeki Sep 25, 2018
lib/tls.js Outdated
@@ -204,7 +204,7 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
if (!valid)
reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`;
// TODO(bnoordhuis) Also check URI SANs that are IP addresses.
} else if (subject) {
} else if (subject || altNames) {
Copy link
Member

@bnoordhuis bnoordhuis Sep 25, 2018

Line 215 is going to throw a TypeError if it tries to read subject.CN when subject == null and altNames does not contain DNS:, IP: or URI: fields.

The logic should be something like } else if (subject || haveAltNames) { where haveAltNames is this:

const haveAltNames = dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0;

I'd swap the branches of the if statement on line 214 so you can write if (haveAltNames) { - negations are to be avoided when possible.

Copy link
Contributor

@sam-github sam-github Dec 3, 2018

I would have done the opposite: defined const noAltNames because switching the branches textually from their previous location makes the diff larger, and obscures what is actually being changed, which is much smaller.

@jasonmacgowan
Copy link
Author

@jasonmacgowan jasonmacgowan commented Sep 28, 2018

@bnoordhuis please review. Thanks!

lib/tls.js Outdated
hostname = unfqdn(hostname); // Remove trailing dot for error messages.
const hostParts = splitHost(hostname);
const wildcard = (pattern) => check(hostParts, pattern, true);
const noWildcard = (pattern) => check(hostParts, pattern, false);
Copy link
Member

@bnoordhuis bnoordhuis Oct 8, 2018

It would be better to move these back inside an if statement.

unfqdn() and splitHost() are somewhat expensive operations that the user shouldn't have to pay for when the other branches are taken.

@sam-github
Copy link
Contributor

@sam-github sam-github commented Nov 27, 2018

@jasonmacgowan
Copy link
Author

@jasonmacgowan jasonmacgowan commented Dec 1, 2018

@bnoordhuis take 3; please review. Thanks!

cc: @sam-github

@sam-github
Copy link
Contributor

@sam-github sam-github commented Dec 3, 2018

It surprised me that the check against a subjectAlternativeName didn't fall back on failure to the CN attribute of the subject, but I found that is required, at least it is here: https://tools.ietf.org/html/rfc6125#section-6.4.4

However, the domainComponent (if used, its likely uncommon) of the subject does look like it can be checked as a backup to the alt name: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 But... we don't support that. Unrelated to this PR.

While I agree in general with Ben's point about negatives in conditionals, in this case I think it causes excessive churn, but I'll leave that to him to comment on.

So, just one request: can you please ensure that tests exist with a subject CN, proving that it is disregarded for matching the hostname when when an alt name exists, but only if the altname contains one of the 3 "domainish" attributes? I think that'd be at least two tests.

@adamrobertbacon
Copy link

@adamrobertbacon adamrobertbacon commented Apr 13, 2019

Is it cheeky for me to bump this issue. I have been dabbling my feet into nodejs for the first time and I've just fallen foul of the issue myself. My internal CA provider has decided to start using certs with an empty subject line. Could find no way around it so I had to allow unauthorised connections for an LDAPS lookup. Not the end of the world but far from ideal. Keep up the good work!

@jasonmacgowan
Copy link
Author

@jasonmacgowan jasonmacgowan commented Apr 15, 2019

@adamrobertbacon check out auth0/ad-ldap-connector@1f4dd2b for a decent work around that doesn't require allowing all certs blindly.

@rajha-korithrien
Copy link

@rajha-korithrien rajha-korithrien commented May 31, 2019

If it was cheeky for @adamrobertbacon to ping this issue back in April, I suppose it is even more cheeky for me to ping it in late May??

Thanks @jasonmacgowan for this code and a pointer to ad-ldap-connector. It will fit my needs of getting ldapjs to be a client of an Active Directory ldaps server with a default Microsoft self signed certifitate. Said certificate falls exactly into this boat, empty subject, DNS host name as a Subject Alternative Name.

Is there a thought as to what is still needed to get this merged? It is unexpected that an admittedly strange but (to my knowledge) standards conformant cert is not supported by the node.js TLS system.

Thanks!

@Monual
Copy link

@Monual Monual commented Oct 31, 2019

Can we get this approved and merged? This bug is affecting our production environment.

@addaleax
Copy link
Member

@addaleax addaleax commented Oct 31, 2019

@sam-github You seem knowledgeable here, do you think you could write the tests you requested and push them here?

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Oct 31, 2019

@sam-github
Copy link
Contributor

@sam-github sam-github commented Oct 31, 2019

I'd like to, but I just don't have the time. Consider my comment unblocking.

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 5, 2019

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 8, 2019

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 19, 2019

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 28, 2019

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 28, 2019

Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771
@addaleax
Copy link
Member

@addaleax addaleax commented Nov 28, 2019

Squashed and rebased to avoid a merge conflict.

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 28, 2019

@nodejs-github-bot
Copy link
Contributor

@nodejs-github-bot nodejs-github-bot commented Nov 28, 2019

addaleax added a commit that referenced this issue Nov 29, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@addaleax
Copy link
Member

@addaleax addaleax commented Nov 29, 2019

Landed in ff48009 🎉

@addaleax addaleax closed this Nov 29, 2019
addaleax added a commit that referenced this issue Nov 30, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
targos added a commit that referenced this issue Dec 1, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@BridgeAR BridgeAR mentioned this pull request Dec 3, 2019
@BethGriggs BethGriggs mentioned this pull request Dec 9, 2019
MylesBorins added a commit that referenced this issue Dec 17, 2019
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@BethGriggs BethGriggs mentioned this pull request Dec 23, 2019
richardlau added a commit that referenced this issue Jul 1, 2020
Behavior described in #11771
is still true even though the issue is closed.

This PR is to allow DNS and URI names, even when there is not a subject.

Refs: #11771

PR-URL: #22906
Reviewed-By: James M Snell <jasnell@gmail.com>
@richardlau richardlau mentioned this pull request Jul 2, 2020
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet