Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow user to override rejectUnauthorized #212

Closed
wants to merge 3 commits into from
Closed

Allow user to override rejectUnauthorized #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
64e6baa
Allow user to override rejectUnauthorized
atbe Mar 5, 2025
c878f44
Default to true
atbe Mar 5, 2025
d80680e
Dont assume opt are set
atbe Mar 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions core/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -898,15 +898,16 @@ The following is the list of connection options and default values.

### TlsOptions

| Option | Default | Description |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------- |
| `ca` | N/A | CA certificate |
| `caFile` | | CA certificate filepath |
| `cert` | N/A | Client certificate |
| `certFile` | N/A | Client certificate file path |
| `key` | N/A | Client key |
| `keyFile` | N/A | Client key file path |
| `handshakeFirst` | false | Connects to the server directly as TLS rather than upgrade the connection. Note that the server must be configured accordingly. |
| Option | Default | Description |
| -------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------- |
| `ca` | N/A | CA certificate |
| `caFile` | | CA certificate filepath |
| `cert` | N/A | Client certificate |
| `certFile` | N/A | Client certificate file path |
| `key` | N/A | Client key |
| `keyFile` | N/A | Client key file path |
| `handshakeFirst` | false | Connects to the server directly as TLS rather than upgrade the connection. Note that the server must be configured accordingly. |
| `rejectUnauthorized` | true | If true, the client will reject the server's certificate if it is not signed by a trusted CA. |

In some Node and Deno clients, having the option set to an empty option,
requires the client have a secured connection.
Expand Down
6 changes: 6 additions & 0 deletions core/src/core.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -965,6 +965,12 @@ export interface TlsOptions {
* handshakeFirst option requires the server to be configured with `handshakeFirst: true`.
*/
handshakeFirst?: boolean;
/**
* rejectUnauthorized option enforces that the server's certificate is signed by a trusted CA.
*
* @default true
*/
rejectUnauthorized?: boolean;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a node only option.

certFile?: string;
cert?: string;
caFile?: string;
Expand Down
5 changes: 4 additions & 1 deletion transport-node/src/node_transport.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,9 +235,9 @@ export class NodeTransport implements Transport {
async tlsFirst(hp: { hostname: string; port: number }): Promise<TLSSocket> {
let tlsError: Error;
let tlsOpts: {
rejectUnauthorized: boolean;
servername: string;
socket?: Socket;
rejectUnauthorized: boolean;
} = {
servername: this.tlsName,
rejectUnauthorized: true,
Expand All @@ -246,6 +246,7 @@ export class NodeTransport implements Transport {
tlsOpts.socket = this.socket;
}
if (typeof this.options.tls === "object") {
tlsOpts.rejectUnauthorized = this.options.tls.rejectUnauthorized ?? true;
try {
const certOpts = await this.loadClientCerts() || {};
tlsOpts = extend(tlsOpts, this.options.tls, certOpts);
Expand Down Expand Up @@ -296,6 +297,8 @@ export class NodeTransport implements Transport {
rejectUnauthorized: true,
};
if (typeof this.options.tls === "object") {
tlsOpts.rejectUnauthorized = this.options.tls.rejectUnauthorized ?? true;

try {
const certOpts = await this.loadClientCerts() || {};
tlsOpts = extend(tlsOpts, this.options.tls, certOpts);
Expand Down