tls.checkServerIdentity(hostname, cert)
-
hostname<string> 用于验证证书的主机名或 IP 地址。¥
hostname<string> The host name or IP address to verify the certificate against. -
¥
cert<Object> A certificate object representing the peer's certificate. -
返回:<Error> | <undefined>
¥Returns: <Error> | <undefined>
验证证书 cert 颁发给 hostname。
¥Verifies the certificate cert is issued to hostname.
返回 <Error> 对象,失败时用 reason、host 和 cert 填充它。当成功时,返回 <undefined>。
¥Returns <Error> object, populating it with reason, host, and cert on
failure. On success, returns <undefined>.
此函数旨在与可以传递给 tls.connect() 的 checkServerIdentity 选项结合使用,因此在 证书对象 上运行。出于其他目的,则考虑使用 x509.checkHost()。
¥This function is intended to be used in combination with the
checkServerIdentity option that can be passed to tls.connect() and as
such operates on a certificate object. For other purposes, consider using
x509.checkHost() instead.
此函数可以通过提供替代函数作为传给 tls.connect() 的 options.checkServerIdentity 选项来覆盖。覆盖函数当然可以调用 tls.checkServerIdentity(),以增加通过额外验证完成的检查。
¥This function can be overwritten by providing an alternative function as the
options.checkServerIdentity option that is passed to tls.connect(). The
overwriting function can call tls.checkServerIdentity() of course, to augment
the checks done with additional verification.
此函数仅在证书通过所有其他检查时才会调用,例如由受信任的 CA (options.ca) 颁发。
¥This function is only called if the certificate passed all other checks, such as
being issued by trusted CA (options.ca).
如果存在匹配的 uniformResourceIdentifier 主题备用名称(请参阅 CVE-2021-44531),早期版本的 Node.js 会错误地接受给定 hostname 的证书。希望接受 uniformResourceIdentifier 主题替代名称的应用可以使用实现所需行为的自定义 options.checkServerIdentity 函数。
¥Earlier versions of Node.js incorrectly accepted certificates for a given
hostname if a matching uniformResourceIdentifier subject alternative name
was present (see CVE-2021-44531). Applications that wish to accept
uniformResourceIdentifier subject alternative names can use a custom
options.checkServerIdentity function that implements the desired behavior.