Adds support for certificates with empty Subject #94
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Node.js default verification does not consider the possibility of an empty subjects ([issue](nodejs/node#11771)). In somce cases Windows Active Directory will use certificates with empty subjects, see this [article](https://blogs.technet.microsoft.com/askds/2008/09/16/third-party-application-fails-using-ldap-over-ssl/) for details, making necessary that the connector supports them to use `ldaps`. This change adds a new configuration option `SSL_ENABLE_EMPTY_SUBJECT` that enables using a patched verification for the server identity that allows using certificates with empty subject. We want to avoid modifying the default behaviour unless required so this flag defaults to `false` and can be enabled when required.
|
@CriGoT looks good to me, the only thing I don't understand is why we would have this disabled by default? |
|
I did that for two reasons:
However, I think we can enable it by default and allow people that customized the setup to turn it off. |
|
yes, I think we should enable by default since as you mentioned this is valid in the specification |
CriGoT
changed the title
CriGoT
force-pushed
the
support-for-empty-subject-certs
branch
from
e64042c
to
58bb60a
Compare
CriGoT
changed the title
|
Awesome, published as |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Node.js default server identity verification does not consider the possibility of certificates with an empty subjects (issue). This type of certificates are sometimes used by Windows Active Directory, see this article for details, making it necessary that the connector supports validating them to use
ldaps.This change adds a new configuration option
SSL_ENABLE_EMPTY_SUBJECTthat enables using a patched verification for the server identity that allows using certificates with empty subject. We want to avoid modifying the default behaviour unless required so this flag defaults tofalse.