Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0' #21900

Merged
merged 1 commit into from
Jul 23, 2018
Merged

Conversation

cjihrig
Copy link
Contributor

@cjihrig cjihrig commented Jul 20, 2018

Warn on the first request that sets the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

Refs: #21774

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

lib/_tls_wrap.js Outdated
// Arguments: [port,] [host,] [options,] [cb]
exports.connect = function connect(...args) {
args = normalizeConnectArgs(args);
var options = args[0];
var cb = args[1];
const allowUnauthorized = '0' === process.env.NODE_TLS_REJECT_UNAUTHORIZED;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reverse this equality check?: process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0'

lib/_tls_wrap.js Outdated
warnOnAllowUnauthorized = false;
process.emitWarning('Setting the NODE_TLS_REJECT_UNAUTHORIZED ' +
'environment variable to \'0\' is considered ' +
'insecure.');
Copy link
Member

@ChALkeR ChALkeR Jul 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

«is considered insecure» is too broad, imo.

Perhaps something among the lines «makes tls connections and https requests insecure»?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly even add "by disabling certificate verification" or so, because my experience is that people using this option almost never actually know what it does... and have just enabled it because a code example suggested it / a StackOverflow answer told them to / their boss told them to / etc.

Copy link
Member

@ChALkeR ChALkeR Jul 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, makes tls connections and https requests insecure by disabling certificate verification looks much better to me :-).

Warn on the first request that sets the
NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

PR-URL: nodejs#21900
Refs: nodejs#21774
Reviewed-By: James M Snell <[email protected]>
@cjihrig
Copy link
Contributor Author

cjihrig commented Jul 23, 2018

@cjihrig cjihrig merged commit 3095eec into nodejs:master Jul 23, 2018
@cjihrig cjihrig deleted the warn branch July 23, 2018 01:53
Copy link
Member

@ChALkeR ChALkeR left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Belated LGTM, the comments were addressed.

@targos
Copy link
Member

targos commented Jul 24, 2018

This has no label. Should it be semver-minor? Or at least a notable-change?

@targos
Copy link
Member

targos commented Jul 26, 2018

^ @cjihrig @ChALkeR
I ask for the changelog.

@mscdex mscdex added the tls Issues and PRs related to the tls subsystem. label Jul 26, 2018
@mscdex
Copy link
Contributor

mscdex commented Jul 26, 2018

Yeah, this should have been semver-major I believe.

@cjihrig
Copy link
Contributor Author

cjihrig commented Jul 26, 2018

Yeah, as a new warning, I think semver-major might be appropriate.

@targos targos added the semver-major PRs that contain breaking changes and should be released in the next major version. label Jul 26, 2018
@targos
Copy link
Member

targos commented Jul 26, 2018

OK I added the label

@ChALkeR
Copy link
Member

ChALkeR commented Jul 26, 2018

@mscdex @targos I am fine with either semver-major or semver-minor/notable-change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Issues and PRs related to security. semver-major PRs that contain breaking changes and should be released in the next major version. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants