crypto: support RFC 2818 compatible checkHost
The subject
option should not only accept the values 'always'
and 'never'
because neither is compatible with RFC 2818, i.e., HTTPS. This change adds a third value 'default'
, which implies the behavior that HTTPS mandates.
The new 'default'
case matches the default behavior of OpenSSL for both DNS names and email addresses.
Alternatively, we could adopt this behavior when the subject
option is not set by the user (or undefined
), but that would be a breaking change (since the option currently defaults to 'always'
).
This PR, on the other hand, can be backported to v14.x, v16.x, and v17.x. Consequently, if this lands, I will open a semver-major PR to change the default from 'always'
to 'default'
.
Refs: https://github.com/nodejs/node/pull/36804
cc @nodejs/crypto