From 03e5c2e7355412b1f62dfaca5dd3146db4669b15 Mon Sep 17 00:00:00 2001 From: mikeburgh Date: Wed, 7 May 2025 07:12:41 -0700 Subject: [PATCH 1/3] Fixing createSecureContext Fixing logic for requireIdentityCheck. Fixing object order in sslOptions. --- lib/connection.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/connection.js b/lib/connection.js index 11464333..2d1a2594 100644 --- a/lib/connection.js +++ b/lib/connection.js @@ -1339,14 +1339,13 @@ class Connection extends EventEmitter { this.opts.ssl === true || this.opts.ssl.rejectUnauthorized === undefined || this.opts.ssl.rejectUnauthorized === true; - info.requireIdentifyCheck = this.opts.ssl === true || this.opts.ssl.checkServerIdentity === undefined; + info.requireIdentifyCheck = this.opts.ssl === true || this.opts.ssl.checkServerIdentity !== undefined; const baseConf = { servername: this.opts.host, socket: this.socket, rejectUnauthorized: false, - checkServerIdentity: () => {} }; - const sslOption = this.opts.ssl === true ? baseConf : Object.assign({}, this.opts.ssl, baseConf); + const sslOption = this.opts.ssl === true ? baseConf : Object.assign({}, baseConf, this.opts.ssl); try { const secureSocket = tls.connect(sslOption, callback); From a9bbd303e79eeb3e919a0a1e6255432027cef7b5 Mon Sep 17 00:00:00 2001 From: mikeburgh Date: Wed, 7 May 2025 07:13:50 -0700 Subject: [PATCH 2/3] Passing servername option to identity check --- lib/cmd/handshake/authentication.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cmd/handshake/authentication.js b/lib/cmd/handshake/authentication.js index da94506c..0fee29c3 100644 --- a/lib/cmd/handshake/authentication.js +++ b/lib/cmd/handshake/authentication.js @@ -97,7 +97,7 @@ class Authentication extends Command { } return this.throwNewError('self-signed certificate', true, info, '08000', Errors.ER_SELF_SIGNED); } else if (info.requireIdentifyCheck) { - const identityError = tls.checkServerIdentity(opts.host, info.tlsCert); + const identityError = tls.checkServerIdentity(typeof opts.ssl === 'object' && opts.ssl.servername ? opts.ssl.servername : opts.host, info.tlsCert); if (identityError) { return this.throwNewError( 'certificate identify Error: ' + identityError.message, From 33dc7590194b4bd5e5db0d77ba3e810a7247668f Mon Sep 17 00:00:00 2001 From: mikeburgh Date: Wed, 7 May 2025 07:16:58 -0700 Subject: [PATCH 3/3] Update connection-options.md --- documentation/connection-options.md | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/connection-options.md b/documentation/connection-options.md index 5b1c2e26..bd014deb 100644 --- a/documentation/connection-options.md +++ b/documentation/connection-options.md @@ -173,6 +173,7 @@ JSON object: |option|description|type|default| |---:|---|:---:|:---:| +|**servername**| A string with the host name to use with SNI if different to host | *string*| |**checkServerIdentity**| `function(servername, cert)` to replace SNI default function| *Function*| |**minDHSize**| Minimum size of the DH parameter in bits to accept a TLS connection | *number*|1024| |**pfx**| Optional PFX or PKCS12 encoded private key and certificate chain. Encrypted PFX will be decrypted with `passphrase` if provided| *string / string[] / Buffer / Buffer[] / *Object[]*|