Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security flaw in WebSocket TLS client authentication #526

Open
ghost opened this issue Aug 4, 2020 · 0 comments
Open

Security flaw in WebSocket TLS client authentication #526

ghost opened this issue Aug 4, 2020 · 0 comments
Labels
core enhancement

Comments

@ghost
Copy link

ghost commented Aug 4, 2020

Hardcoding the rejectUnauthorized option in lib/transport/websocket.js to false exposes autobahn-js clients to man-in-the-middle attacks, as server certificates are never verified against the list of supplied certificate authorities.

In production environments, the rejectUnauthorized option must always default to true, not false. This option is passed through to https.request in Node.js and overwrites its default value which is true.

If you are using a self-signed server certificate in development or test environments, you should be able to pass the rejectUnauthorized: false option.

Fix:

  • Extend tlsConfiguration options by an optional rejectUnauthorized option.
  • If this option is not specified, pass rejectUnauthorized: true.
  • Document this option in your API reference - Options that control tls connection explaining implications when setting it to false.

Thanks for providing a patch release fixing this issue!
Hubertus
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oberstet