search

nodejs / node

Node.js JavaScript runtime ✨🐢🚀✨
https://nodejs.org
Other
104.97k stars 28.42k forks source link

http2: Support of custom certificate verifier #49841

Open martenrichter opened 9 months ago

martenrichter commented 9 months ago

What is the problem this feature will solve?

I am currently trying to implement http/2 webtransport with native node functions. Webtransport has (at least on http/3) the feature, that certificates are verified using a hash identifier if their validity is below 14 days. My objective is to achieve this also for the http/2 implementation. (I believe that similar problems may arrise for http/3 webtransport for the upcoming quic/http/3 infrastructure, although different code is used for quic then for TCP TLS)

What is the feature you are proposing to solve the problem?

So far, I tried to use the checkServerIdentity feature for checking. However, if the verification fails at https://github.com/nodejs/node/blob/ab5fa2a2210416b0db0e601620da81ce34adf59a/lib/_tls_wrap.js#L1600C35-L1600C47 checkServerIdentity is never called. The verification happens inside OpenSSL apparently. I got a self-signed certificate error in my first attempts, so it did not reach the checkServerIdentity. I can not supply the certificate as ca, as I do not know it before a connection. rejectUnauthorized=false is not an option, as it also removes the call to checkServerIdentity:

I see the following options:

  1. I have missed something, and there is a workaround, so that patch for node.js is not required (as it would allow usage in older node versions, this is my preferred option).
  2. An option for supplying a custom certificate verifier function as a replacement for the OpenSSL version, analog to checkServerIdentity
  3. An option to use only checkServerIdentity and no certificate verification with OpenSSL

(If I am not mistaken, this is also missing for the tlscontext.cc in quic).

Of course, whatever option is the best (if any), I would be happy to create a PR.

What alternatives have you considered?

No response

martenrichter commented 6 months ago

Well no feedback so far...., as I said, I may write a PR for this, if I know it has a chance to land in node.js...

martenrichter commented 6 months ago

Ok, I have now implemented a workaround, doing verification after connection: https://github.com/fails-components/webtransport/commit/fb9b7dc3cb60f13c232510cce78edc9b1c663811 I do not like this, but it will work for now.

github-actions[bot] commented 3 weeks ago

There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the https://github.com/nodejs/node/labels/never-stale label or close this issue if it should be closed. If not, the issue will be automatically closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document.

martenrichter commented 3 weeks ago

Well no feedback so far...., I just post something to make the bot happy.