node icon indicating copy to clipboard operation
node copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Allow to trust certificate without adding full chain of trust

Open mdeknowis opened this issue 4 years ago • 4 comments

Is your feature request related to a problem? Please describe.

Currently, you have to put the full chain of trust, if you want to trust one certificate.

For example, if you have that chain of trust

  • CertHost: valid for *.myhost.com, signed by CertIntermediate
  • CertIntermediate: signed by CertRoot
  • CertRoot: self-signed by CertRoot

Currently you have to add all three certificates to the ca trust: CertHost, CertIntermediate, CertRoot

The problem is, that now we trust everything, that is signed by CertIntermediate and CertRoot, even we don't want that, and only want to trust CertHost. So we are trusting thousands and more certificates.

Describe the solution you'd like Providing at least an optional configuration, that allows to trust also just certificates like CertHost without providing CertIntermediate and CertRoot. Hence we have really control about what kind of certificates we trust and are able to trust only a few.

mdeknowis avatar Jul 10 '20 08:07 mdeknowis

Chain verification is done by openssl and I'm unsure whether openssl supports what you're asking.

bnoordhuis avatar Jul 10 '20 08:07 bnoordhuis

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

github-actions[bot] avatar Mar 18 '22 19:03 github-actions[bot]

Currently, you have to put the full chain of trust, if you want to trust one certificate. The problem is, that now we trust everything, that is signed by CertIntermediate and CertRoot, even we don't want that, and only want to trust CertHost. So we are trusting thousands and more certificates.

I think you should be able to avoid that by passing the chain of trust as the ca option to any TLS client APIs, see createSecureContext. Then, to only trust specific certificates, also pass a checkServerIdentity function. You can use, for example, the cert.fingerprint256 property to uniquely identify a certificate.

tniessen avatar Mar 19 '22 12:03 tniessen

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

github-actions[bot] avatar Sep 19 '22 01:09 github-actions[bot]

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.

github-actions[bot] avatar Oct 19 '22 01:10 github-actions[bot]