tls: emit a warning when servername is an IP address · nodejs/node@9b2ffff (original) (raw)

3 files changed

lines changed

Original file line number	Diff line number	Diff line change
@@ -2293,6 +2293,20 @@ Type: Runtime
2293	2293	Please use `Server.prototype.setSecureContext()` instead.
2294	2294
2295	2295
	2296	+
	2297	+### DEP0123: setting the TLS ServerName to an IP address
	2298	+<!-- YAML
	2299	+changes:
	2300	+ - version: REPLACEME
	2301	+ pr-url: https://github.com/nodejs/node/pull/REPLACEME
	2302	+ description: Runtime deprecation.
	2303	+-->
	2304	+
	2305	+Type: Runtime
	2306	+
	2307	+Setting the TLS ServerName to an IP address is not permitted by
	2308	+[RFC 6066][]. This will be ignored in a future version.
	2309	+
2296	2310	[`--pending-deprecation`]: cli.html#cli_pending_deprecation
2297	2311	[`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
2298	2312	[`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array
@@ -2393,3 +2407,4 @@ Please use `Server.prototype.setSecureContext()` instead.
2393	2407	[legacy `urlObject`]: url.html#url_legacy_urlobject
2394	2408	[NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
2395	2409	[WHATWG URL API]: url.html#url_the_whatwg_url_api
	2410	+[RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3

Original file line number	Diff line number	Diff line change
@@ -59,6 +59,8 @@ const kSNICallback = Symbol('snicallback');
59	59
60	60	const noop = () => {};
61	61
	62	+let ipServernameWarned = false;
	63	+
62	64	function onhandshakestart(now) {
63	65	debug('onhandshakestart');
64	66
@@ -1240,8 +1242,18 @@ exports.connect = function connect(...args) {
1240	1242	if (options.session)
1241	1243	socket.setSession(options.session);
1242	1244
1243		-if (options.servername)
	1245	+if (options.servername) {
	1246	+if (!ipServernameWarned && net.isIP(options.servername)) {
	1247	+process.emitWarning(
	1248	+'Setting the TLS ServerName to an IP address is not permitted by ' +
	1249	+'RFC 6066. This will be ignored in a future version.',
	1250	+'DeprecationWarning',
	1251	+'DEP0123'
	1252	+);
	1253	+ipServernameWarned = true;
	1254	+}
1244	1255	socket.setServername(options.servername);
	1256	+}
1245	1257
1246	1258	if (options.socket)
1247	1259	socket._start();

Original file line number	Diff line number	Diff line change
@@ -0,0 +1,41 @@
	1	+'use strict';
	2	+
	3	+const common = require('../common');
	4	+const fixtures = require('../common/fixtures');
	5	+
	6	+if (!common.hasCrypto)
	7	+common.skip('missing crypto');
	8	+
	9	+const tls = require('tls');
	10	+
	11	+// This test expects `tls.connect()` to emit a warning when
	12	+// `servername` of options is an IP address.
	13	+common.expectWarning(
	14	+'DeprecationWarning',
	15	+'Setting the TLS ServerName to an IP address is not permitted by ' +
	16	+'RFC 6066. This will be ignored in a future version.',
	17	+'DEP0123'
	18	+);
	19	+
	20	+{
	21	+const options = {
	22	+key: fixtures.readKey('agent1-key.pem'),
	23	+cert: fixtures.readKey('agent1-cert.pem')
	24	+};
	25	+
	26	+const server = tls.createServer(options, function(s) {
	27	+s.end('hello');
	28	+}).listen(0, function() {
	29	+const client = tls.connect({
	30	+port: this.address().port,
	31	+rejectUnauthorized: false,
	32	+servername: '127.0.0.1',
	33	+}, function() {
	34	+client.end();
	35	+});
	36	+});
	37	+
	38	+server.on('connection', common.mustCall(function(socket) {
	39	+server.close();
	40	+}));
	41	+}