mattcg / starttls Goto Github PK
View Code? Open in Web Editor NEWUpgrade a regular `net.Stream` connection to a secure `tls` connection.
starttls's People
Contributors
Stargazers
Watchers
starttls's Issues
Node 4.x
Would be great if this did not warn against using with Node 4.x, seems to work fine.
docs and code don't appear to be correct
With node, when making a tls connection, the authorized status and authorizationError includes the result of the certificate idenity check, see https://github.com/nodejs/node/blob/master/lib/_tls_wrap.js#L1091.
With starttls, the identicy check is done after, https://github.com/mattcg/starttls/blob/master/lib/starttls.js#L96, and is done unconditionally, so that if a cert is not trusted, but does pass the tls.checkServerIdentity() check, someone using your example code will consider the connection valid, even though .authorized may be false.
From the README:
starttls(options, function(err) {
if (err) {
does not appear secure to me under these conditions.
Also,
starttls(socket, function(err) {
if (!tls.checkServerIdentity(host, this.cleartext.getPeerCertificate())) {
// Hostname mismatch!
// Report error and end connection...
}
});
this appears to completely ignore the error object, so a naive use of it will accept invalid certs, that purport to be for the hostname the user is trying to make a secure connection to but have not been validly issued by a trusted CA.
hostname validation missing
Currently starttls doesn't verify the hostname.
This enables a MITM attack because it is enough to present just any signed certificate.
A workaround is to check in the secure handler (in addition to pair.cleartext.authorized) with:
var cert = pair.cleartext.getPeerCertificate()
if(!tls.checkServerIdentity(hostname, cert)) {
// hostname mismatch
}It might be a good idea to move this check into the starttls lib itself.
That would require some api changes, as currently starttls doesn't even know the hostname.
Also checkServerIdentity is not officially documented which might become an issue with future node releases.
Because of these two issues (possibly breaking the api and undocumented function) I'd like to get some feedback first before starting to create a patch + pull request. ;-)
In the meantime it is probably best to at least document this in the example code.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.