Skip to main content
checkServerIdentity - tls - Node documentation
function checkServerIdentity

Usage in Deno

import { checkServerIdentity } from "node:tls";
checkServerIdentity(
hostname: string,
): Error | undefined

Verifies the certificate cert is issued to hostname.

Returns Error object, populating it with reason, host, and cert on failure. On success, returns undefined.

This function is intended to be used in combination with thecheckServerIdentity option that can be passed to connect and as such operates on a certificate object. For other purposes, consider using x509.checkHost() instead.

This function can be overwritten by providing an alternative function as the options.checkServerIdentity option that is passed to tls.connect(). The overwriting function can call tls.checkServerIdentity() of course, to augment the checks done with additional verification.

This function is only called if the certificate passed all other checks, such as being issued by trusted CA (options.ca).

Earlier versions of Node.js incorrectly accepted certificates for a givenhostname if a matching uniformResourceIdentifier subject alternative name was present (see CVE-2021-44531). Applications that wish to acceptuniformResourceIdentifier subject alternative names can use a custom options.checkServerIdentity function that implements the desired behavior.

Parameters

hostname: string

The host name or IP address to verify the certificate against.

A certificate object representing the peer's certificate.

Return Type

Error | undefined