tls, https: validate server certificate by default

This commit changes the default value of the rejectUnauthorized option from false to true. What that means is that tls.connect(), https.get() and https.request() will reject invalid server certificates from now on, including self-signed certificates. There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED environment variable to the literal string "0", node.js reverts to its old behavior. Fixes #3949.
2026-01-15 12:15:26 +00:00 · 2012-08-30 15:14:37 +02:00
parent 4c171a504d
commit 35607f3a2d
38 changed files with 131 additions and 24 deletions
--- a/lib/https.js
+++ b/lib/https.js
@@ -21,6 +21,7 @@

 var tls = require('tls');
 var http = require('http');
+var util = require('util');
 var url = require('url');
 var inherits = require('util').inherits;

@@ -97,11 +98,25 @@ exports.request = function(options, cb) {
    throw new Error('Protocol:' + options.protocol + ' not supported.');
  }

-  if (options.agent === undefined) {
-    options.agent = globalAgent;
+  options = util._extend({
+    createConnection: createConnection,
+    defaultPort: 443
+  }, options);
+
+  if (typeof options.agent === 'undefined') {
+    if (typeof options.ca === 'undefined' &&
+        typeof options.cert === 'undefined' &&
+        typeof options.ciphers === 'undefined' &&
+        typeof options.key === 'undefined' &&
+        typeof options.passphrase === 'undefined' &&
+        typeof options.pfx === 'undefined' &&
+        typeof options.rejectUnauthorized === 'undefined') {
+      options.agent = globalAgent;
+    } else {
+      options.agent = new Agent(options);
+    }
  }
-  options.createConnection = createConnection;
-  options.defaultPort = options.defaultPort || 443;
+
  return new http.ClientRequest(options, cb);
 };