docs and code don't appear to be correct

[sam-github]

With node, when making a tls connection, the authorized status and authorizationError includes the result of the certificate idenity check, see https://github.com/nodejs/node/blob/master/lib/_tls_wrap.js#L1091.

With starttls, the identicy check is done after, https://github.com/mattcg/starttls/blob/master/lib/starttls.js#L96, and is done unconditionally, so that if a cert is not trusted, but does pass the tls.checkServerIdentity() check, someone using your example code will consider the connection valid, even though .authorized may be false.

From the README:

  starttls(options, function(err) {
        if (err) {

does not appear secure to me under these conditions.

Also,

starttls(socket, function(err) {
    if (!tls.checkServerIdentity(host, this.cleartext.getPeerCertificate())) {

        // Hostname mismatch!
        // Report error and end connection...
    }
});

this appears to completely ignore the error object, so a naive use of it will accept invalid certs, that purport to be for the hostname the user is trying to make a secure connection to but have not been validly issued by a trusted CA.

[mattcg]

@sam-github thanks for filing this.

The certificate is being verified from line 82 onwards in starttls.js. What code changes do you propose?