From d9b70f9cbfe1d76a516378afa0ade0818d45bfd4 Mon Sep 17 00:00:00 2001 From: Mike Atkins Date: Mon, 10 Aug 2015 11:55:37 -0400 Subject: [PATCH] tls: handle empty cert in checkServerIndentity This resolves joyent/node#9272. `tlsSocket.getPeerCertificate` will return an empty object when the peer does not provide a certificate, but, prior to this, when the certificate is empty, `checkServerIdentity` would throw because the `subject` wasn't present on the cert. `checkServerIdentity` must return an error, not throw one, so this returns an error when the cert is empty instead of throwing a `TypeError`. PR-URL: https://github.com/nodejs/node/pull/2343 Reviewed-By: Fedor Indutny Reviewed-By: Shigeki Ohtsu --- lib/tls.js | 4 +++- test/parallel/test-tls-check-server-identity.js | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/tls.js b/lib/tls.js index 714fdebfc079bd..0e22242bc47feb 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -151,7 +151,7 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { host, ips.join(', ')); } - } else { + } else if (cert.subject) { // Transform hostname to canonical form if (!/\.$/.test(host)) host += '.'; @@ -204,6 +204,8 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) { cert.subject.CN); } } + } else { + reason = 'Cert is empty'; } if (!valid) { diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js index e659f40aa90232..8d2155b94ea9af 100644 --- a/test/parallel/test-tls-check-server-identity.js +++ b/test/parallel/test-tls-check-server-identity.js @@ -30,6 +30,13 @@ var tests = [ 'DNS:omg.com' }, + // Empty Cert + { + host: 'a.com', + cert: { }, + error: 'Cert is empty' + }, + // Multiple CN fields { host: 'foo.com', cert: {