Skip to content

Commit

Permalink
[actions] for simplistic email servers, set rejectUnauthorized to fal…
Browse files Browse the repository at this point in the history
…se (#91760)

resolves #91686

The poor email action has not had great success in setting TLS options
correctly.  Prior to 7.11, it was basically always setting `rejectUnauthorized`
to false, so was never validating certificates.  Starting in 7.11.0, it
started respecting TLS certificates, but there are some simple/test servers
in use that use self-signed certificates.

The real fix for this will be the resolution of issue
#80120 , but until then, this PR
does a special-case check if the `secure` option is off (so the email client
connects with a plain socket and then upgrades to TLS via STARTTLS) and both
the user and password for the server are not set, then it will use
`rejectUnauthorized: false`.  Otherwise, it uses the global configured value
of this setting.

This also changes some other cases, where `secure: true` often did not
set any `rejectUnauthorized` property at all, and so did not get verified.
Now in all cases, `rejectUnauthorized` will be set, and the value will
correspond to the globally configured value, except for the special case
checked here, and when a proxy is in use (that logic did not change).

So it is possible this would break customers, who were using insecure servers
and email action worked, but with this fix the connections will be rejected.
They should have been rejected all this time though.

The work-around for this problem, if we don't implement a fix like this, is
that customers will need to set the global `rejectUnauthorized` to `false`,
which means NONE of their TLS connections for any actions will be verified.
Which seems extreme.
  • Loading branch information
pmuellr authored Mar 1, 2021
1 parent 31889a5 commit ff546a1
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ describe('send_email module', () => {
"port": 1025,
"secure": false,
"tls": Object {
"rejectUnauthorized": true,
"rejectUnauthorized": false,
},
},
]
Expand Down Expand Up @@ -187,6 +187,9 @@ describe('send_email module', () => {
"host": "example.com",
"port": 1025,
"secure": true,
"tls": Object {
"rejectUnauthorized": true,
},
},
]
`);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,13 @@ export async function sendEmail(logger: Logger, options: SendEmailOptions): Prom
};
transportConfig.proxy = proxySettings.proxyUrl;
transportConfig.headers = proxySettings.proxyHeaders;
} else if (!transportConfig.secure) {
transportConfig.tls = {
rejectUnauthorized,
};
} else if (!transportConfig.secure && user == null && password == null) {
// special case - if secure:false && user:null && password:null set
// rejectUnauthorized false, because simple/test servers that don't even
// authenticate rarely have valid certs; eg cloud proxy, and npm maildev
transportConfig.tls = { rejectUnauthorized: false };
} else {
transportConfig.tls = { rejectUnauthorized };
}
}

Expand Down

0 comments on commit ff546a1

Please sign in to comment.