Improved certificate checking.

2025-03-09 15:40:18 +00:00 · 2020-11-08 13:29:37 -08:00 · 2020-11-08 13:29:37 -08:00 · 8b9a437ed7
commit 8b9a437ed7
parent c24c8821fe
3 changed files with 18 additions and 2 deletions
--- a/agents/meshcore.js
+++ b/agents/meshcore.js
@ -776,7 +776,12 @@ function createMeshCore(agent) {
                                    var woptions = http.parseUri(xurl);
                                    woptions.perMessageDeflate = false;
                                    if (typeof data.perMessageDeflate == 'boolean') { woptions.perMessageDeflate = data.perMessageDeflate; }
+
+                                    // Perform manual server TLS certificate checking based on the certificate hash given by the server.
                                    woptions.rejectUnauthorized = 0;
+                                    woptions.checkServerIdentity = function checkServerIdentity(certs) { if ((checkServerIdentity.servertlshash != null) && (checkServerIdentity.servertlshash != certs[0].fingerprint.split(':').join('').toLowerCase())) { throw new Error('BadCert') } }
+                                    woptions.checkServerIdentity.servertlshash = data.servertlshash;
+
                                    //sendConsoleText(JSON.stringify(woptions));
                                    //sendConsoleText('TUNNEL: ' + JSON.stringify(data));
                                    var tunnel = http.request(woptions);
@ -1147,7 +1152,12 @@ function createMeshCore(agent) {
                    data.url = 'http' + getServerTargetUrlEx('*/').substring(2);
                    var agentFileHttpOptions = http.parseUri(data.url);
                    agentFileHttpOptions.path = data.urlpath;
-                    agentFileHttpOptions.rejectUnauthorized = 0; // TODO: Check TLS cert
+
+                    // Perform manual server TLS certificate checking based on the certificate hash given by the server.
+                    agentFileHttpOptions.rejectUnauthorized = 0;
+                    agentFileHttpOptions.checkServerIdentity = function checkServerIdentity(certs) { if ((checkServerIdentity.servertlshash != null) && (checkServerIdentity.servertlshash != certs[0].fingerprint.split(':').join('').toLowerCase())) { throw new Error('BadCert') } }
+                    agentFileHttpOptions.checkServerIdentity.servertlshash = data.servertlshash;
+
                    if (agentFileHttpOptions == null) break;
                    var agentFileHttpRequest = http.request(agentFileHttpOptions,
                        function (response) {