问题描述
我正在使用一群相互连接的节点",我真正关心的是它们彼此安全连接并且都经过身份验证.
I'm playing with a swarm of "nodes" connecting to each other, and all I really care for is that they are connected securely to each other and are all authenticated.
为此,我认为 TLS 模块非常适合.我创建了一个 CA 并签署了一堆证书,每个节点一个.然后我遇到了现在针对节点连接的主机验证证书的问题.
For this I figured the TLS module would be a good fit. I created a CA and signed a bunch of certificates, one for each node. I then hit the issue that certificates are now validated against the host from which the node connects.
是否可以以某种方式禁用或绕过通用名称验证?
Is it possible somehow to disable or work around the Common Name validation?
这个设置有什么根本性的缺陷吗?
Is there something fundamentally flawed about this setup?
我是否正确,只要这些证书由我的 CA 签署,连接就应该是安全的,并且我确定只有我的节点可以连接?
Am I correct that, as long as these certificates are signed by my CA, the connection should be secure and I am certain only my nodes can connect?
这似乎只是一个麻烦,必须签署锁定到主机名或 IP(或多个接口的情况下的几个)的证书.我了解到验证主机的要求实际上不是 TLS 而是 HTTPS 的一部分 - 从这个角度来看,默认情况下这样做可能是一个 Node.js 错误?
It seems like just an annoyance having to sign certificates locked to a hostname or IP (or several in case of multiple interfaces). I've learned that the requirement to validate the host is actually not a part of TLS but HTTPS - in that light, it might be a Node.js bug to do so by default?
推荐答案
这可以通过将 tls.connect
的 checkServerIdentity
选项设置为无操作功能来实现:
This is possible by setting the checkServerIdentity
option of tls.connect
to a no-op function:
const tls = require('tls')
tls.connect({
checkServerIdentity: () => undefined,
...
})
来源:
- https://nodejs.org/api/tls.html#tls_tls_checkserveridentity_host_cert
- https://github.com/nodejs/node/blob/df63e534584a54dcf02b37446e1e821382e3cef3/lib/tls.js#L168-L231
- https://github.com/nodejs/nodejs//blob/79261f3003719264bc03f6a5b54cf9eddbc8b48e/lib/_tls_wrap.js#L1046
这篇关于没有主机名验证的 Node.js TLS 连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!