crypto: support RFC 2818 compatible checkHost (!41569) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/tniessen/crypto-x509-check-flag-subject into master Jan 17, 2022

The subject option should not only accept the values 'always' and 'never' because neither is compatible with RFC 2818, i.e., HTTPS. This change adds a third value 'default', which implies the behavior that HTTPS mandates.

The new 'default' case matches the default behavior of OpenSSL for both DNS names and email addresses.

Alternatively, we could adopt this behavior when the subject option is not set by the user (or undefined), but that would be a breaking change (since the option currently defaults to 'always').

This PR, on the other hand, can be backported to v14.x, v16.x, and v17.x. Consequently, if this lands, I will open a semver-major PR to change the default from 'always' to 'default'.

Refs: https://github.com/nodejs/node/pull/36804

cc @nodejs/crypto

Admin message

Admin message

crypto: support RFC 2818 compatible checkHost

Merge request reports