Skip to content

Implemented checkSSL#1441

Open
pablodelolmo wants to merge 3 commits intofastly:mainfrom
pablodelolmo:pablo/not-verify-ssl
Open

Implemented checkSSL#1441
pablodelolmo wants to merge 3 commits intofastly:mainfrom
pablodelolmo:pablo/not-verify-ssl

Conversation

@pablodelolmo
Copy link
Copy Markdown
Contributor

@pablodelolmo pablodelolmo commented Apr 23, 2026

Rationale behind this PR

One of the features currently present in our delivery services when defining backend is the possibility to disable TLS certificate validation when reaching backends (see ssl_check_cert in our API docs). We currently support that in our Compute platform but the way of doing it is to not define the backend certificate fields such as sniHostname, certificateHostname and caCertificate. The intention of adding this is to have the same explicit field and handle the behind the scenes removal of those fields when dealing with the Compute runtime.

What's in this PR

  • The SDK & runtime changes to do that.
  • Integration tests
  • Updated documentation

pablodelolmo and others added 2 commits April 23, 2026 12:57
@pablodelolmo
Implemented checkSSL
cfd12e9 
Like we currently do in Delivery services, have this parameter when defining a Backend takes care of the behind the scenes to disable backend server validation.
@zkat
Merge branch 'main' into pablo/not-verify-ssl
304c0b8
zkat
zkat reviewed Apr 23, 2026
View reviewed changes
Comment thread package.json Outdated
{
"name": "@fastly/js-compute",
"version": "3.41.1",
"version": "3.41.2",
Copy link
Copy Markdown
Member

@zkat zkat Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we'll bump this ourselves, no need to do it in your PR.

Comment thread integration-tests/js-compute/fixtures/module-mode/src/dynamic-backend.js
});
},
);
}
Copy link
Copy Markdown
Member

@zkat zkat Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test that actually hits https://http-me.fastly.dev?

@pablodelolmo
Added different TLS tests for checkSSL feature
56b5585 
- Added different tests sets for the checkSSL feature, covering expired, wrong hostname and self signed certs.
- Reverted package version bumps.
@pablodelolmo
Copy link
Copy Markdown
Contributor Author

pablodelolmo commented Apr 27, 2026

Added three sets of tests for three different scenarios. The scenarios are:

  • Expired cert
  • Wrong hostname in the cert
  • Self-signed cert

The set of tests for each one are:

  • Without checkSSL (which defaults to true) and defining the SNI & CN -> Fetch fails (test successful)
  • With checkSSL set to true and defining the SNI & CN -> Fetch fails (test successful)
  • With checkSSL set to false and defining the SNI & CN -> Fetch goes through (test successful)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zkat zkat zkat left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pablodelolmo @zkat