From 3095eecc4748da4ce7ac70e2b352ddba6c4c4deb Mon Sep 17 00:00:00 2001
From: cjihrig <cjihrig@gmail.com>
Date: Thu, 19 Jul 2018 22:02:44 -0400
Subject: [PATCH] tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0'

Warn on the first request that sets the
NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

PR-URL: https://github.com/nodejs/node/pull/21900
Refs: https://github.com/nodejs/node/issues/21774
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 lib/_tls_wrap.js                   | 13 ++++++++++++-
 test/parallel/test-https-strict.js |  8 ++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index c4118c3af1767b..225d65fee3dd3d 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -1098,14 +1098,25 @@ function onConnectEnd() {
   }
 }
 
+let warnOnAllowUnauthorized = true;
+
 // Arguments: [port,] [host,] [options,] [cb]
 exports.connect = function connect(...args) {
   args = normalizeConnectArgs(args);
   var options = args[0];
   var cb = args[1];
+  const allowUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0';
+
+  if (allowUnauthorized && warnOnAllowUnauthorized) {
+    warnOnAllowUnauthorized = false;
+    process.emitWarning('Setting the NODE_TLS_REJECT_UNAUTHORIZED ' +
+                        'environment variable to \'0\' makes TLS connections ' +
+                        'and HTTPS requests insecure by disabling ' +
+                        'certificate verification.');
+  }
 
   var defaults = {
-    rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED,
+    rejectUnauthorized: !allowUnauthorized,
     ciphers: tls.DEFAULT_CIPHERS,
     checkServerIdentity: tls.checkServerIdentity,
     minDHSize: 1024
diff --git a/test/parallel/test-https-strict.js b/test/parallel/test-https-strict.js
index f575f524061580..0e8f725a5db2ac 100644
--- a/test/parallel/test-https-strict.js
+++ b/test/parallel/test-https-strict.js
@@ -28,6 +28,14 @@ if (!common.hasCrypto)
 // disable strict server certificate validation by the client
 process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
 
+common.expectWarning(
+  'Warning',
+  'Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to \'0\' ' +
+  'makes TLS connections and HTTPS requests insecure by disabling ' +
+  'certificate verification.',
+  common.noWarnCode
+);
+
 const assert = require('assert');
 const https = require('https');