diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 90f6c9f647b496..a21056768ac33e 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -1061,7 +1061,7 @@ deprecated and support will be removed in the future. [`tls.SecureContext`]: tls.html#tls_tls_createsecurecontext_options [`tls.SecurePair`]: tls.html#tls_class_securepair [`tls.TLSSocket`]: tls.html#tls_class_tls_tlssocket -[`tls.checkServerIdentity()`]: tls.html#tls_tls_checkserveridentity_host_cert +[`tls.checkServerIdentity()`]: tls.html#tls_tls_checkserveridentity_hostname_cert [`tls.createSecureContext()`]: tls.html#tls_tls_createsecurecontext_options [`util._extend()`]: util.html#util_util_extend_target_source [`util.debug()`]: util.html#util_util_debug_string diff --git a/doc/api/tls.md b/doc/api/tls.md index e22286adb45ad3..2f600fb4249f77 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -358,7 +358,7 @@ added: v0.5.3 `cert`, `ca`, etc). The `server.addContext()` method adds a secure context that will be used if -the client request's SNI hostname matches the supplied `hostname` (or wildcard). +the client request's SNI name matches the supplied `hostname` (or wildcard). ### server.address() -* `host` {string} The hostname to verify the certificate against +* `hostname` {string} The hostname to verify the certificate against * `cert` {Object} An object representing the peer's certificate. The returned object has some properties corresponding to the fields of the certificate. * Returns: {Error|undefined} -Verifies the certificate `cert` is issued to host `host`. +Verifies the certificate `cert` is issued to `hostname`. Returns {Error} object, populating it with the reason, host, and cert on failure. On success, returns {undefined}. diff --git a/lib/tls.js b/lib/tls.js index dc8a6a29c71b76..f13c5c1c8601c2 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -161,14 +161,14 @@ function check(hostParts, pattern, wildcards) { } let urlWarningEmitted = false; -exports.checkServerIdentity = function checkServerIdentity(host, cert) { +exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { const subject = cert.subject; const altNames = cert.subjectaltname; const dnsNames = []; const uriNames = []; const ips = []; - host = '' + host; + hostname = '' + hostname; if (altNames) { for (const name of altNames.split(', ')) { @@ -200,14 +200,14 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { let valid = false; let reason = 'Unknown reason'; - if (net.isIP(host)) { - valid = ips.includes(canonicalizeIP(host)); + if (net.isIP(hostname)) { + valid = ips.includes(canonicalizeIP(hostname)); if (!valid) - reason = `IP: ${host} is not in the cert's list: ${ips.join(', ')}`; + reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`; // TODO(bnoordhuis) Also check URI SANs that are IP addresses. } else if (subject) { - host = unfqdn(host); // Remove trailing dot for error messages. - const hostParts = splitHost(host); + hostname = unfqdn(hostname); // Remove trailing dot for error messages. + const hostParts = splitHost(hostname); const wildcard = (pattern) => check(hostParts, pattern, true); const noWildcard = (pattern) => check(hostParts, pattern, false); @@ -221,11 +221,12 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { valid = wildcard(cn); if (!valid) - reason = `Host: ${host}. is not cert's CN: ${cn}`; + reason = `Host: ${hostname}. is not cert's CN: ${cn}`; } else { valid = dnsNames.some(wildcard) || uriNames.some(noWildcard); if (!valid) - reason = `Host: ${host}. is not in the cert's altnames: ${altNames}`; + reason = + `Host: ${hostname}. is not in the cert's altnames: ${altNames}`; } } else { reason = 'Cert is empty'; @@ -234,7 +235,7 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { if (!valid) { const err = new ERR_TLS_CERT_ALTNAME_INVALID(reason); err.reason = reason; - err.host = host; + err.host = hostname; err.cert = cert; return err; }