Skip fingerprint check when TLS session is being reused #197
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a TLS session is reused by a connection, subsequent attempts to get the socket's peer certificate will return an empty object, as per the Node.js docs. This would cause the transport's server certificate CA fingerprint match check to fail. It is safe to assume a reused TLS session is secure because the fingerprint check was done on a prior request (see nodejs/node#3940 (comment)).
Currently, the transport will throw an error that the fingerprint does not match when a session is reused, because the certificate is empty. Checking for session reuse solves this problem, which was originally reported in elastic/elasticsearch-js#2355.