Browse Source

v2.4.1 disallow domain fronting

v2.3 v2.4.1
AJ ONeal 6 years ago
parent
commit
2cfba7a2e7
  1. 17
      index.js
  2. 2
      package.json

17
index.js

@ -517,10 +517,27 @@ Greenlock.create = function (gl) {
req.headers.host = host.join(':');
}
if (gl.__sni_allow_fronting) {
if (req.socket && 'string' === typeof req.socket.servername) {
if (safehost && (safehost !== req.socket.servername.toLowerCase())) {
res.statusCode = 400;
res.end("Don't be frontin', yo!"
+ " TLS SNI '" + req.socket.servername.toLowerCase() + "' does not match 'Host: " + safehost + "'");
return;
}
} else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) {
// TODO how to handle wrapped sockets, as with telebit?
console.warn("\n\n\n[greenlock] WARN: no string for req.socket.servername,"
+ " skipping fronting check for '" + safehost + "'\n\n\n");
gl.middleware.sanitizeHost._skip_fronting_check = true;
}
}
// carry on
realNext();
};
};
gl.middleware.sanitizeHost._skip_fronting_check = false;
return gl;
};

2
package.json

@ -1,6 +1,6 @@
{
"name": "greenlock",
"version": "2.4.0",
"version": "2.4.1",
"description": "Let's Encrypt for node.js on npm",
"main": "index.js",
"files": [

Loading…
Cancel
Save