Node.js TLS connections without hostname verification

Question

I'm playing with a swarm of "nodes" connecting to each other, and all I really care for is that they are connected securely to each other and are all authenticated.

For this I figured the TLS module would be a good fit. I created a CA and signed a bunch of certificates, one for each node. I then hit the issue that certificates are now validated against the host from which the node connects.

Is it possible somehow to disable or work around the Common Name validation?

Is there something fundamentally flawed about this setup?

Am I correct that, as long as these certificates are signed by my CA, the connection should be secure and I am certain only my nodes can connect?

It seems like just an annoyance having to sign certificates locked to a hostname or IP (or several in case of multiple interfaces). I've learned that the requirement to validate the host is actually not a part of TLS but HTTPS - in that light, it might be a Node.js bug to do so by default?

Answer 1

Is it possible somehow to disable or work around the Common Name validation?

This is possible by setting the checkServerIdentity option of tls.connect to a no-op function:

const tls = require('tls')
tls.connect({
  checkServerIdentity: () => undefined,
  ...
})

Sources:

• https://nodejs.org/api/tls.html#tls_tls_checkserveridentity_host_cert
• https://github.com/nodejs/node/blob/df63e534584a54dcf02b37446e1e821382e3cef3/lib/tls.js#L168-L231
• https://github.com/nodejs/node/blob/79261f3003719264bc03f6a5b54cf9eddbc8b48e/lib/_tls_wrap.js#L1046