On Fri, May 3, 2013 at 7:39 PM, Nik Martin <[email protected]> wrote:
> This requires some background to properly understand what I'm attempting:
>
> Amazon S3 allows static website hosting, but with a requirement that the
> bucket name must match your domain name. This means your bucket name will
> look like: mydomain.com. Amazon S3 also provides a wildcard SSL certificate
> for *.s3.amazonaws.com. By the rules of TLS, this means com.s3.amazonaws.com
> IS covered by the certificate, but mybucket.com.s3.amazonaws.com is not.
> Node applications, like Knox that connect to *.com.s3.amazonaws.com should
> really be able to trust that certificate, even though it breaks the rules of
> TLS, since the knox library is a 'closed system': it only ever connects to
> an Amazon property.
>
> The Node module https relies on tls.js, and tls.js has this function:
>
> function checkServerIdentity(host, cert) {
> ...
> // "The client SHOULD NOT attempt to match a presented identifier in
> // which the wildcard character comprises a label other than the
> // left-most label (e.g., do not match bar.*.example.net)."
> // RFC6125
> if (!wildcards && /*/.test(host) || /[.*].**/.test(host) ||
> /*/.test(host) && !/*.*..+..+/.test(host)) {
> return /$./;
> }
>
> Which will properly return a "Certificate Mismatch" error. My understanding
> of the Node Global Module Cache is that if the Knox module overrides the
> checkServerIdentity function, which is several levels down and not called
> directly by Knox, the override will be in the global cache for tls.js, so
> any other Node app on that system will also get the overriden
> checkServerIdentity function, which WOULD possibly be a security issue.
>
> Is this the case? Is there a way to override node internals for my
> app/module only?
You don't need to override anything in node core, just connect with {
rejectUnauthorized: false } and check the authorized and
authorizationError properties in your 'secureConnect' event listener.
And yes, monkey-patching checkServerIdentity() will affect all other
modules. You _might_ be able to circumvent that by getting creative
with require.cache but that gets icky fast.
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
