Skip to content

tls: deprecate NODE_TLS_REJECT_AUTHORIZED

Rodrigo Muino Tomonari requested to merge github/fork/dcposch/tls into master

Fixes #5258 (closed)

Included in this PR

  • Deprecates the NODE_TLS_REJECT_AUTHORIZED environment variable
  • Replaces it with NODE_TLS_INSECURELY_ACCEPT_UNTRUSTED_CERTIFICATES

Also thinking of adding type validation for the rejectUnauthorized option, so that it must be the boolean false to disable cert checking, rather than any falsey value, as follows:

 // require `false`, not just a "falsey" value, to forego cert validation
 assert(typeof options.rejectUnauthorized === 'boolean',
        'options.rejectUnauthorized is not boolean: ' +
        options.rejectUnauthorized);

Let me know if this is likely to break existing code.

Not included

  • The option is still called rejectUnauthorized. We could deprecate that as well and replace it with insecurelyAcceptUntrustedCerts or similar, but I don't know if it's worth it --- @ChALkeR found that the existing option is used in a lot of npm modules.

Merge request reports