coolaj86
/
ssl-root-cas.js
1
0
Fork 0
Code Issues 7 Pull Requests Releases Activity

Update README.md

This commit is contained in:
AJ ONeal 2015-04-01 11:31:46 -06:00
parent c85c1b734f
commit fab20e71fb
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -115,8 +115,6 @@ yourself, well, you can.
Kinda Bad Ideas
=====
You could turn off ssl checking for a single request like so:
```javascript
'use strict';
@ -125,21 +123,12 @@ You could turn off ssl checking for a single request like so:
var agent;
agentOptions = {
host: "www.example.com"
, port: "443"
host: 'www.example.com'
, port: '443'
, path: '/'
// This allows the single bad certificate
// instead of making your entire node process completely, utterly
, rejectUnauthorized: false
};
// If you were using a self-signed cert you would add this option:
// agentOptions.ca = [ selfSignedRootCaPemCrtBuffer ];
// For trusted-peer connections you would also add these 2 options:
// agentOptions.key = serverPemKeyBuffer;
// agentOptions.cert = serverPemCrtSignedBySelfSignedRootCaBuffer;
agent = new https.Agent(agentOptions);
request({
@ -151,6 +140,25 @@ You could turn off ssl checking for a single request like so:
});
```
By using an `agent` with `rejectUnauthorized` you at limit the security vulnerability to the requests that deal with that one site instead of making your entire node process completely, utterly insecure.
### Other Options
If you were using a self-signed cert you would add this option:
```javascript
agentOptions.ca = [ selfSignedRootCaPemCrtBuffer ];
```
For trusted-peer connections you would also add these 2 options:
```javascript
agentOptions.key = clientPemKeyBuffer;
agentOptions.cert = clientPemCrtSignedBySelfSignedRootCaBuffer;
```
REALLY Bad Ideas
===
@ -171,6 +179,9 @@ export NODE_TLS_REJECT_UNAUTHORIZED="0"
node my-service.js
```
It's unfortunate that `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';` is even documented. It should only be used for debugging and should never make it into in sort of code that runs in the wild. Almost every library that runs atop `https` has a way of passing agent options through. Those that don't should be fixed.
# Index
Other information you might want to know while you're here.