tls.checkServerIdentity(hostname, cert)

版本历史

版本	变更
v14.18.3	响应 CVE-2021-44531，已禁用对 `uniformResourceIdentifier` 主题替代名称的支持。
v0.8.4	新增于: v0.8.4

hostname <string> 用于验证证书的主机名或 IP 地址。
cert <Object> 证书对象代表对等方的证书。
返回: <Error> | <undefined>

验证证书 cert 颁发给 hostname。

返回 <Error> 对象，失败时用 reason、host 和 cert 填充它。当成功时，返回 <undefined>。

可以通过提供替代函数作为传给 tls.connect() 的 options.checkServerIdentity 选项的一部分来覆盖此函数。覆盖函数当然可以调用 tls.checkServerIdentity()，以增加通过额外验证完成的检查。

此函数仅在证书通过所有其他检查时才会调用，例如由受信任的 CA (options.ca) 颁发。

如果存在匹配的 uniformResourceIdentifier 主题替代名称，则 Node.js 的早期版本会错误地接受给定 hostname 的证书（请参阅 CVE-2021-44531）。希望接受 uniformResourceIdentifier 主题替代名称的应用程序可以使用实现所需行为的自定义 options.checkServerIdentity 函数。

History

Version	Changes
v14.18.3	Support for `uniformResourceIdentifier` subject alternative names has been disabled in response to CVE-2021-44531.
v0.8.4	Added in: v0.8.4

hostname <string> The host name or IP address to verify the certificate against.
cert <Object> A certificate object representing the peer's certificate.
Returns: <Error> | <undefined>

Verifies the certificate cert is issued to hostname.

Returns <Error> object, populating it with reason, host, and cert on failure. On success, returns <undefined>.

This function can be overwritten by providing alternative function as part of the options.checkServerIdentity option passed to tls.connect(). The overwriting function can call tls.checkServerIdentity() of course, to augment the checks done with additional verification.

This function is only called if the certificate passed all other checks, such as being issued by trusted CA (options.ca).

Earlier versions of Node.js incorrectly accepted certificates for a given hostname if a matching uniformResourceIdentifier subject alternative name was present (see CVE-2021-44531). Applications that wish to accept uniformResourceIdentifier subject alternative names can use a custom options.checkServerIdentity function that implements the desired behavior.