tls: handle empty cert in checkServerIndentity

This resolves nodejs/node-v0.x-archive#9272. `tlsSocket.getPeerCertificate` will return an empty object when the peer does not provide a certificate, but, prior to this, when the certificate is empty, `checkServerIdentity` would throw because the `subject` wasn't present on the cert. `checkServerIdentity` must return an error, not throw one, so this returns an error when the cert is empty instead of throwing a `TypeError`. PR-URL: #2343 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
nodejs · Aug 21, 2015 · d9b70f9 · d9b70f9
1 parent 3f821b9
commit d9b70f9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/lib/tls.js b/lib/tls.js
@@ -151,7 +151,7 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
                            host,
                            ips.join(', '));
     }
-  } else {
+  } else if (cert.subject) {
     // Transform hostname to canonical form
     if (!/\.$/.test(host)) host += '.';
 
@@ -204,6 +204,8 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
                              cert.subject.CN);
       }
     }
+  } else {
+    reason = 'Cert is empty';
   }
 
   if (!valid) {

diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js
@@ -30,6 +30,13 @@ var tests = [
            'DNS:omg.com'
   },
 
+  // Empty Cert
+  {
+    host: 'a.com',
+    cert: { },
+    error: 'Cert is empty'
+  },
+
   // Multiple CN fields
   {
     host: 'foo.com', cert: {