Open martenrichter opened 9 months ago
Well no feedback so far...., as I said, I may write a PR for this, if I know it has a chance to land in node.js...
Ok, I have now implemented a workaround, doing verification after connection: https://github.com/fails-components/webtransport/commit/fb9b7dc3cb60f13c232510cce78edc9b1c663811 I do not like this, but it will work for now.
There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the https://github.com/nodejs/node/labels/never-stale label or close this issue if it should be closed. If not, the issue will be automatically closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document.
Well no feedback so far...., I just post something to make the bot happy.
What is the problem this feature will solve?
I am currently trying to implement http/2 webtransport with native node functions. Webtransport has (at least on http/3) the feature, that certificates are verified using a hash identifier if their validity is below 14 days. My objective is to achieve this also for the http/2 implementation. (I believe that similar problems may arrise for http/3 webtransport for the upcoming quic/http/3 infrastructure, although different code is used for quic then for TCP TLS)
What is the feature you are proposing to solve the problem?
So far, I tried to use the
checkServerIdentity
feature for checking. However, if the verification fails at https://github.com/nodejs/node/blob/ab5fa2a2210416b0db0e601620da81ce34adf59a/lib/_tls_wrap.js#L1600C35-L1600C47 checkServerIdentity is never called. The verification happens inside OpenSSL apparently. I got aself-signed certificate
error in my first attempts, so it did not reach the checkServerIdentity. I can not supply the certificate as ca, as I do not know it before a connection.rejectUnauthorized=false
is not an option, as it also removes the call to checkServerIdentity:I see the following options:
checkServerIdentity
(If I am not mistaken, this is also missing for the tlscontext.cc in quic).
Of course, whatever option is the best (if any), I would be happy to create a PR.
What alternatives have you considered?
No response