https.createServer accepts any non-falsey values for key and cert #12802
Labels
good first issue
Issues that are suitable for first-time contributors.
https
Issues or PRs related to the https subsystem.
Comments
|
Possible duplicate of #11978? |
|
@evanlucas I'd have to repro it with a different setup to be sure, but I think for null values the browser will report that the certificate is simply missing and declare the site insecure. In this case, the site won't even load because the handshake completely fails and has a |
|
@nodejs/http |
bnoordhuis
added
the
good first issue
|
Rejecting definitely wrong values is a good idea. I've added the good-first-contribution label. |
jimmycann
added a commit
to jimmycann/node
that referenced
this issue
Aug 13, 2017
When using https.createServer, passing boolean values for `key` and `cert` properties in the options object parameter doesn't throw an error an could lead to potential issues if they're accidentally passed. This PR aims to throw a reasonable error if a boolean was passed to either of those properties. Fixes: nodejs#12802
3 tasks
jimmycann
added a commit
to jimmycann/node
that referenced
this issue
Aug 14, 2017
Taking on board the review from the initial PR, multiple changes have been made. - Type checking now a whitelist as opposed to only checking for a boolean - Type checking moved to the underlying `_tls_common` , `tls` and `https` modules now affected - Arrays are now iterated using `map` instead of `for` for affected sections -Testing added for the `tls` module Fixes: nodejs#12802
jimmycann
added a commit
to jimmycann/node
that referenced
this issue
Aug 16, 2017
Additional changes in line with PR review - Loosen type checking for buffers using the ArrayBuffer method - Require pem files using updated fixture access method - Add tests for ArrayBuffer and DataView types Fixes: nodejs#12802
jimmycann
added a commit
to jimmycann/node
that referenced
this issue
Aug 16, 2017
- Change iteration method from map -> forEach Fixes: nodejs#12802
ghost
pushed a commit
to ayojs/ayo
that referenced
this issue
Aug 30, 2017
PR-URL: nodejs/node#14807 Fixes: nodejs/node#12802 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
ghost
pushed a commit
to ayojs/ayo
that referenced
this issue
Aug 30, 2017
PR-URL: nodejs/node#14807 Fixes: nodejs/node#12802 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using https.createServer, passing a boolean to cert and/or key will not cause an error, but will result in an invalid certificate at runtime. For instance:
I discovered this with a pretty silly code mistake like:
It was certainly user error. However, in the types for the options object, the valid types are listed as:
Then in https.js, there is no typechecking for creating the server, and for outbound requests, non-falsey value for gets concatenated (and therefore cast to a string):
For invalid types, there could probably be an error thrown rather than issuing a completely invalid certificate. Though it would be overkill to validate certs at runtime rather than time of connection, checking for valid types might be a good idea since there's currently (as far as I can tell) no difference between this mistake and a totally invalid certificate, making it hard to debug. Instead a non-string, non-object (for key), non-buffer should probably be functionally identical to having no certificate.
For SEO purposes, this mistake will likely result in the following error with an in-browser response:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The text was updated successfully, but these errors were encountered: