subject alternative names not respected by `tls.checkServerIdentity`

[richardbann]

• Version: v6.9.1
• Platform: Linux 4.4.0-47-generic contributing: commiter git FAQ #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
• Subsystem: tls

The tls.checkServerIdentity (https://github.com/nodejs/node/blob/master/lib/tls.js#L144) function assumes that subject alternative names can be accessed as cert.subjectaltname. Tests also use this: https://github.com/nodejs/node/blob/master/test/parallel/test-tls-check-server-identity.js#L59

At the same time the certificate object looks like something like this (as reported by tls.connect):

{
  subject: {
    CN: 'server',
    subjectAltName: 'DNS.1=localhost,DNS.2=vertis.com'
  },
  issuer: { CN: 'server-ca' },
  modulus: 'BF6E...',
  exponent: '0x10001',
  valid_from: 'Nov 16 13:36:31 2016 GMT',
  valid_to: 'Mar 31 13:36:31 2018 GMT',
  fingerprint: 'D1:9D:36:92:A6:E8:6D:80:48:89:FF:CA:73:1D:76:4F:C7:73:0B:1C',
  serialNumber: 'E70DDB6FE3209190',
  raw: <Buffer 30 82 02 ...>
}

This way the alt names will never be respected.

[mscdex]

/cc @indutny

[bnoordhuis]

Please post a standalone test case. I'm highly skeptical that this bug report is correct. To illustrate:

$ node-v6.9.1-linux-x64/bin/node -e \
'tls.connect({host:"google.com",port:443}, function() { console.log(this.getPeerCertificate()) })'
{ subject: 
   { C: 'US',
     ST: 'California',
     L: 'Mountain View',
     O: 'Google Inc',
     CN: '*.google.com' },
  issuer: { C: 'US', O: 'Google Inc', CN: 'Google Internet Authority G2' },
  subjectaltname: 'DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:policy.mta-sts.google.com, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com',
  infoAccess: 
   { 'CA Issuers - URI': [ 'http://pki.google.com/GIAG2.crt' ],
     'OCSP - URI': [ 'http://clients1.google.com/ocsp' ] },
  modulus: 'B7BA52E92F994C35FDB460514F133BC1C6C7F73DFE0344DF1B430AC53CB09D7BE21724B0D9F7F4F10A46ECD94194F4962E5076B502063AEBADBC75B914FA3867E21EE6D277D30C5B885F626E4978DE0F39C2210CD17CFEC400BB6281FA59B60E3FC06A3A1B4E709C23634312CE0743F1864E8443675862BCB941324D5E6E9F5FBF3D32E81BFFA88FB5EFC31A70F9798931C8A1BB1CB95B72FFB0CBE85B0D1985B24897384D0D0C23C867156229E2252D454B6D9674231880B7C213ADC15E37634B93F88E403E0E009C9B3F2678C7AF41EDA6982D954944C1BEFF668704DCF7AD65F43687337A532D12D3BCE01CCB5A0DF0CDC0BBD8306F9A33AC1CC17C7939B3',
  exponent: '0x10001',
  valid_from: 'Nov  3 01:49:41 2016 GMT',
  valid_to: 'Jan 26 01:13:00 2017 GMT',
  fingerprint: 'E5:6D:C5:F8:C4:6E:B2:4B:04:23:14:A1:71:06:BB:B0:A5:61:9E:1B',
  ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
  serialNumber: '05E620829390402C',

[richardbann]

Thank you for helping me figure this out. This was caused by an invalid certificate. The issue can be closed.