From 0b10714c6604f819492cc89818cda07428b821ca Mon Sep 17 00:00:00 2001 From: lutovich Date: Mon, 28 May 2018 13:55:58 +0200 Subject: [PATCH] SNI support for encrypted connections This commit enables SNI for TLS connections by making them send the target hostname in the first TLS message. It is done by simply adding a new TLS connection option called `servername`. --- src/v1/internal/ch-node.js | 47 ++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/src/v1/internal/ch-node.js b/src/v1/internal/ch-node.js index d84af1f23..723b18c49 100644 --- a/src/v1/internal/ch-node.js +++ b/src/v1/internal/ch-node.js @@ -123,14 +123,8 @@ const TrustStrategy = { return; } - let tlsOpts = { - ca: config.trustedCertificates.map((f) => fs.readFileSync(f)), - // Because we manually check for this in the connect callback, to give - // a more helpful error to the user - rejectUnauthorized: false - }; - - let socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { + const tlsOpts = newTlsOptions(config.url.host, config.trustedCertificates.map((f) => fs.readFileSync(f))); + const socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { if (!socket.authorized) { onFailure(newError("Server certificate is not trusted. If you trust the database you are connecting to, add" + " the signing certificate, or the server certificate, to the list of certificates trusted by this driver" + @@ -146,13 +140,8 @@ const TrustStrategy = { return socket; }, TRUST_SYSTEM_CA_SIGNED_CERTIFICATES : function( config, onSuccess, onFailure ) { - - let tlsOpts = { - // Because we manually check for this in the connect callback, to give - // a more helpful error to the user - rejectUnauthorized: false - }; - let socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { + const tlsOpts = newTlsOptions(config.url.host); + const socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { if (!socket.authorized) { onFailure(newError("Server certificate is not trusted. If you trust the database you are connecting to, use " + "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add" + @@ -175,13 +164,9 @@ const TrustStrategy = { console.warn('`TRUST_ON_FIRST_USE` has been deprecated as option and will be removed in a future version of ' + "the driver. Please use `TRUST_ALL_CERTIFICATES` instead."); - let tlsOpts = { - // Because we manually verify the certificate against known_hosts - rejectUnauthorized: false - }; - - let socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { - var serverCert = socket.getPeerCertificate(/*raw=*/true); + const tlsOpts = newTlsOptions(config.url.host); + const socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { + const serverCert = socket.getPeerCertificate(/*raw=*/true); if( !serverCert.raw ) { // If `raw` is not available, we're on an old version of NodeJS, and @@ -229,9 +214,7 @@ const TrustStrategy = { }, TRUST_ALL_CERTIFICATES: function (config, onSuccess, onFailure) { - const tlsOpts = { - rejectUnauthorized: false - }; + const tlsOpts = newTlsOptions(config.url.host); const socket = tls.connect(config.url.port, config.url.host, tlsOpts, function () { const certificate = socket.getPeerCertificate(); if (isEmptyObjectOrNull(certificate)) { @@ -275,6 +258,20 @@ function connect( config, onSuccess, onFailure=(()=>null) ) { } } +/** + * Create a new configuration options object for the {@code tls.connect()} call. + * @param {string} hostname the target hostname. + * @param {string|undefined} ca an optional CA. + * @return {object} a new options object. + */ +function newTlsOptions(hostname, ca = undefined) { + return { + rejectUnauthorized: false, // we manually check for this in the connect callback, to give a more helpful error to the user + servername: hostname, // server name for the SNI (Server Name Indication) TLS extension + ca: ca, // optional CA useful for TRUST_CUSTOM_CA_SIGNED_CERTIFICATES trust mode + }; +} + /** * In a Node.js environment the 'net' module is used * as transport.