tls: rejectUnauthorized is treated to true by default by ghaiklor · Pull Request #5923 · nodejs/node
vkurchatkin
added
the
semver-major
label
Mar 27, 2016
tls.connect treats rejectUnauthorized as a false value, when we need to treat it only when rejectUnauthorized is really set to false
requestCert is false by default, rejectUnauthorized is true by default.
The problem here is old behaviour of rejectUnauthorized. With previous implementation you could treat undefined as false. After this bevahiour was fixed, we need to explicitly set to false.
Updates docs in all rejectUnauthorized flags. With this PR it defaults to true instead false.
jasnell
added this to the
8.0.0 milestone
sam-github pushed a commit that referenced this pull request
Mar 23, 2017
rejectUnauthorized used to be false when the property was undefined or null, quietly allowing client connections for which certificates have been requested (requestCert is true) even when the client certificate was not authorized (signed by a trusted CA). Change this so rejectUnauthorized is always true unless it is explicitly set to false. PR-URL: #5923 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
jasnell added a commit that referenced this pull request
May 30, 2017
* **Async Hooks**
* The `async_hooks` module has landed in core
[[`4a7233c178`](4a7233c178)]
[#12892](#12892).
* **Buffer**
* Using the `--pending-deprecation` flag will cause Node.js to emit a
deprecation warning when using `new Buffer(num)` or `Buffer(num)`.
[[`d2d32ea5a2`](d2d32ea5a2)]
[#11968](#11968).
* `new Buffer(num)` and `Buffer(num)` will zero-fill new `Buffer` instances
[[`7eb1b4658e`](7eb1b4658e)]
[#12141](#12141).
* Many `Buffer` methods now accept `Uint8Array` as input
[[`beca3244e2`](beca3244e2)]
[#10236](#10236).
* **Child Process**
* Argument and kill signal validations have been improved
[[`97a77288ce`](97a77288ce)]
[#12348](#12348),
[[`d75fdd96aa`](d75fdd96aa)]
[#10423](#10423).
* Child Process methods accept `Uint8Array` as input
[[`627ecee9ed`](627ecee9ed)]
[#10653](#10653).
* **Console**
* Error events emitted when using `console` methods are now supressed.
[[`f18e08d820`](f18e08d820)]
[#9744](#9744).
* **Dependencies**
* The npm client has been updated to 5.0.0
[[`3c3b36af0f`](3c3b36af0f)]
[#12936](#12936).
* V8 has been updated to 5.8 with forward ABI stability to 6.0
[[`60d1aac8d2`](60d1aac8d2)]
[#12784](#12784).
* **Domains**
* Native `Promise` instances are now `Domain` aware
[[`84dabe8373`](84dabe8373)]
[#12489](#12489).
* **Errors**
* We have started assigning static error codes to errors generated by Node.js.
This has been done through multiple commits and is still a work in
progress.
* **File System**
* The utility class `fs.SyncWriteStream` has been deprecated
[[`7a55e34ef4`](7a55e34ef4)]
[#10467](#10467).
* The deprecated `fs.read()` string interface has been removed
[[`3c2a9361ff`](3c2a9361ff)]
[#9683](#9683).
* **HTTP**
* Improved support for userland implemented Agents
[[`90403dd1d0`](90403dd1d0)]
[#11567](#11567).
* Outgoing Cookie headers are concatenated into a single string
[[`d3480776c7`](d3480776c7)]
[#11259](#11259).
* The `httpResponse.writeHeader()` method has been deprecated
[[`fb71ba4921`](fb71ba4921)]
[#11355](#11355).
* New methods for accessing HTTP headers have been added to `OutgoingMessage`
[[`3e6f1032a4`](3e6f1032a4)]
[#10805](#10805).
* **Lib**
* All deprecation messages have been assigned static identifiers
[[`5de3cf099c`](5de3cf099c)]
[#10116](#10116).
* The legacy `linkedlist` module has been removed
[[`84a23391f6`](84a23391f6)]
[#12113](#12113).
* **N-API**
* Experimental support for the new N-API API has been added
[[`56e881d0b0`](56e881d0b0)]
[#11975](#11975).
* **Process**
* Process warning output can be redirected to a file using the
`--redirect-warnings` command-line argument
[[`03e89b3ff2`](03e89b3ff2)]
[#10116](#10116).
* Process warnings may now include additional detail
[[`dd20e68b0f`](dd20e68b0f)]
[#12725](#12725).
* **REPL**
* REPL magic mode has been deprecated
[[`3f27f02da0`](3f27f02da0)]
[#11599](#11599).
* **Src**
* `NODE_MODULE_VERSION` has been updated to 57
(ec7cbaf266)]
[#12995](#12995).
* Add `--pending-deprecation` command-line argument and
`NODE_PENDING_DEPRECATION` environment variable
[[`a16b570f8c`](a16b570f8c)]
[#11968](#11968).
* The `--debug` command-line argument has been deprecated. Note that
using `--debug` will enable the *new* Inspector-based debug protocol
as the legacy Debugger protocol previously used by Node.js has been
removed. [[`010f864426`](010f864426)]
[#12949](#12949).
* Throw when the `-c` and `-e` command-line arguments are used at the same
time [[`a5f91ab230`](a5f91ab230)]
[#11689](#11689).
* Throw when the `--use-bundled-ca` and `--use-openssl-ca` command-line
arguments are used at the same time.
[[`8a7db9d4b5`](8a7db9d4b5)]
[#12087](#12087).
* **Stream**
* `Stream` now supports `destroy()` and `_destroy()` APIs
[[`b6e1d22fa6`](b6e1d22fa6)]
[#12925](#12925).
* `Stream` now supports the `_final()` API
[[`07c7f198db`](07c7f198db)]
[#12828](#12828).
* **TLS**
* The `rejectUnauthorized` option now defaults to `true`
[[`348cc80a3c`](348cc80a3c)]
[#5923](#5923).
* The `tls.createSecurePair()` API now emits a runtime deprecation
[[`a2ae08999b`](a2ae08999b)]
[#11349](#11349).
* A runtime deprecation will now be emitted when `dhparam` is less than
2048 bits [[`d523eb9c40`](d523eb9c40)]
[#11447](#11447).
* **URL**
* The WHATWG URL implementation is now a fully-supported Node.js API
[[`d080ead0f9`](d080ead0f9)]
[#12710](#12710).
* **Util**
* `Symbol` keys are now displayed by default when using `util.inspect()`
[[`5bfd13b81e`](5bfd13b81e)]
[#9726](#9726).
* `toJSON` errors will be thrown when formatting `%j`
[[`455e6f1dd8`](455e6f1dd8)]
[#11708](#11708).
* Convert `inspect.styles` and `inspect.colors` to prototype-less objects
[[`aab0d202f8`](aab0d202f8)]
[#11624](#11624).
* The new `util.promisify()` API has been added
[[`99da8e8e02`](99da8e8e02)]
[#12442](#12442).
* **Zlib**
* Support `Uint8Array` in Zlib convenience methods
[[`91383e47fd`](91383e47fd)]
[#12001](#12001).
* Zlib errors now use `RangeError` and `TypeError` consistently
[[`b514bd231e`](b514bd231e)]
[#11391](#11391).
jasnell added a commit that referenced this pull request
May 30, 2017
* **Async Hooks**
* The `async_hooks` module has landed in core
[[`4a7233c178`](4a7233c178)]
[#12892](#12892).
* **Buffer**
* Using the `--pending-deprecation` flag will cause Node.js to emit a
deprecation warning when using `new Buffer(num)` or `Buffer(num)`.
[[`d2d32ea5a2`](d2d32ea5a2)]
[#11968](#11968).
* `new Buffer(num)` and `Buffer(num)` will zero-fill new `Buffer` instances
[[`7eb1b4658e`](7eb1b4658e)]
[#12141](#12141).
* Many `Buffer` methods now accept `Uint8Array` as input
[[`beca3244e2`](beca3244e2)]
[#10236](#10236).
* **Child Process**
* Argument and kill signal validations have been improved
[[`97a77288ce`](97a77288ce)]
[#12348](#12348),
[[`d75fdd96aa`](d75fdd96aa)]
[#10423](#10423).
* Child Process methods accept `Uint8Array` as input
[[`627ecee9ed`](627ecee9ed)]
[#10653](#10653).
* **Console**
* Error events emitted when using `console` methods are now supressed.
[[`f18e08d820`](f18e08d820)]
[#9744](#9744).
* **Dependencies**
* The npm client has been updated to 5.0.0
[[`3c3b36af0f`](3c3b36af0f)]
[#12936](#12936).
* V8 has been updated to 5.8 with forward ABI stability to 6.0
[[`60d1aac8d2`](60d1aac8d2)]
[#12784](#12784).
* **Domains**
* Native `Promise` instances are now `Domain` aware
[[`84dabe8373`](84dabe8373)]
[#12489](#12489).
* **Errors**
* We have started assigning static error codes to errors generated by Node.js.
This has been done through multiple commits and is still a work in
progress.
* **File System**
* The utility class `fs.SyncWriteStream` has been deprecated
[[`7a55e34ef4`](7a55e34ef4)]
[#10467](#10467).
* The deprecated `fs.read()` string interface has been removed
[[`3c2a9361ff`](3c2a9361ff)]
[#9683](#9683).
* **HTTP**
* Improved support for userland implemented Agents
[[`90403dd1d0`](90403dd1d0)]
[#11567](#11567).
* Outgoing Cookie headers are concatenated into a single string
[[`d3480776c7`](d3480776c7)]
[#11259](#11259).
* The `httpResponse.writeHeader()` method has been deprecated
[[`fb71ba4921`](fb71ba4921)]
[#11355](#11355).
* New methods for accessing HTTP headers have been added to `OutgoingMessage`
[[`3e6f1032a4`](3e6f1032a4)]
[#10805](#10805).
* **Lib**
* All deprecation messages have been assigned static identifiers
[[`5de3cf099c`](5de3cf099c)]
[#10116](#10116).
* The legacy `linkedlist` module has been removed
[[`84a23391f6`](84a23391f6)]
[#12113](#12113).
* **N-API**
* Experimental support for the new N-API API has been added
[[`56e881d0b0`](56e881d0b0)]
[#11975](#11975).
* **Process**
* Process warning output can be redirected to a file using the
`--redirect-warnings` command-line argument
[[`03e89b3ff2`](03e89b3ff2)]
[#10116](#10116).
* Process warnings may now include additional detail
[[`dd20e68b0f`](dd20e68b0f)]
[#12725](#12725).
* **REPL**
* REPL magic mode has been deprecated
[[`3f27f02da0`](3f27f02da0)]
[#11599](#11599).
* **Src**
* `NODE_MODULE_VERSION` has been updated to 57
(ec7cbaf266)]
[#12995](#12995).
* Add `--pending-deprecation` command-line argument and
`NODE_PENDING_DEPRECATION` environment variable
[[`a16b570f8c`](a16b570f8c)]
[#11968](#11968).
* The `--debug` command-line argument has been deprecated. Note that
using `--debug` will enable the *new* Inspector-based debug protocol
as the legacy Debugger protocol previously used by Node.js has been
removed. [[`010f864426`](010f864426)]
[#12949](#12949).
* Throw when the `-c` and `-e` command-line arguments are used at the same
time [[`a5f91ab230`](a5f91ab230)]
[#11689](#11689).
* Throw when the `--use-bundled-ca` and `--use-openssl-ca` command-line
arguments are used at the same time.
[[`8a7db9d4b5`](8a7db9d4b5)]
[#12087](#12087).
* **Stream**
* `Stream` now supports `destroy()` and `_destroy()` APIs
[[`b6e1d22fa6`](b6e1d22fa6)]
[#12925](#12925).
* `Stream` now supports the `_final()` API
[[`07c7f198db`](07c7f198db)]
[#12828](#12828).
* **TLS**
* The `rejectUnauthorized` option now defaults to `true`
[[`348cc80a3c`](348cc80a3c)]
[#5923](#5923).
* The `tls.createSecurePair()` API now emits a runtime deprecation
[[`a2ae08999b`](a2ae08999b)]
[#11349](#11349).
* A runtime deprecation will now be emitted when `dhparam` is less than
2048 bits [[`d523eb9c40`](d523eb9c40)]
[#11447](#11447).
* **URL**
* The WHATWG URL implementation is now a fully-supported Node.js API
[[`d080ead0f9`](d080ead0f9)]
[#12710](#12710).
* **Util**
* `Symbol` keys are now displayed by default when using `util.inspect()`
[[`5bfd13b81e`](5bfd13b81e)]
[#9726](#9726).
* `toJSON` errors will be thrown when formatting `%j`
[[`455e6f1dd8`](455e6f1dd8)]
[#11708](#11708).
* Convert `inspect.styles` and `inspect.colors` to prototype-less objects
[[`aab0d202f8`](aab0d202f8)]
[#11624](#11624).
* The new `util.promisify()` API has been added
[[`99da8e8e02`](99da8e8e02)]
[#12442](#12442).
* **Zlib**
* Support `Uint8Array` in Zlib convenience methods
[[`91383e47fd`](91383e47fd)]
[#12001](#12001).
* Zlib errors now use `RangeError` and `TypeError` consistently
[[`b514bd231e`](b514bd231e)]
[#11391](#11391).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters