svapreddy
commented
8 years ago I think no. If you are using Chrome, when a call is failed to localhost. You can open that in new tab and skip unsafe check. Then it should start working.
Closed darkpixel closed 8 years ago
svapreddy
commented
8 years ago I think no. If you are using Chrome, when a call is failed to localhost. You can open that in new tab and skip unsafe check. Then it should start working.
darkpixel
commented
8 years ago I'm having trouble finding the 'skip unsafe' checkbox in my bash shell running /usr/bin/nodejs. ;)
natevw
commented
8 years ago Can you simply connect to http://localhost:8000 instead? Then you don't end up with only the illusion of security.
Fermata does not currently have a way to ignore untrusted certs, see the logic https://github.com/natevw/fermata/blob/upcoming/fermata.js#L150-L157 where the options passed are fixed and no provision for rejectUnauthorized is made. (You really have to override the agent used to do that, too.)
If you really must test things this way, see http://stackoverflow.com/a/21961005/179583 for a tip on how to make HTTPS susceptible to attacks for all requests your process makes.
While the particular "ignore untrusted certs" case is one I'm usually suspect (not saying you in particular don't have your reasons and understand the risks), I agree Fermata does need a way to customize the things that node and XHR allow customizing.
Between things like this and https://github.com/natevw/fermata/pull/60 and my general plan sort of noted at https://github.com/natevw/fermata/issues/51#issuecomment-75347180, I think it's time to add a further "opts" parameter along with the headers you can already override. Stay tuned.
natevw
commented
8 years ago Ah, missed this in my original review of how the node transport sets up the request: agent: http.globalAgent.
That is, we re-read the globalAgent property of the http/https module each time a request is made. So there's already some options for customization there on the node side, but it's still going to be global so in this case — if you really must to disable the "S" in HTTPS! — the NODE_TLS_REJECT_UNAUTHORIZED environment variable explained in that stackoverflow link above is really about the same.
natevw
commented
8 years ago Okay, I finally merged the "upcoming" branch into master and published it as fermata@0.11.0-beta1. In 0.11 you can pass options:
var nodeOpts = {
agent: new require('https').Agent(),
rejectUnauthorized: false // DANGER/WARNING — security vulnerability
};
var opts = {node:nodeOpts};
url.get(opts, {}, null, callback);I don't plan to make turning off HTTPS security any easier than node itself makes it, so I think this ticket can be closed. Thanks for your feedback!
darkpixel
commented
8 years ago One thing to consider might be a hook to validate the cert. For testing you could do something like:
function validate_cert(cert, callback) {
callback(true);
}And in a few applications that need it you would be able to do certificate pinning.
function validate_cert(cert, callback) {
if (cert.fingerprint === 'aa:bb:cc:dd....') {
callback(true);
} else {
callback(false);
}
}Just a thought. Thanks for the workaround and fix @natevw.
Is there a way to ignore untrusted certs? I'm in a test environment trying to connect to https://localhost:8000/.