tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0'

Warn on the first request that sets the
NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

PR-URL: #21900
Refs: #21774
Reviewed-By: James M Snell <jasnell@gmail.com>

Author: cjihrig

lib/_tls_wrap.js

@@ -1098,14 +1098,25 @@ function onConnectEnd() {
   }
 }
 
+let warnOnAllowUnauthorized = true;
+
 // Arguments: [port,] [host,] [options,] [cb]
 exports.connect = function connect(...args) {
   args = normalizeConnectArgs(args);
   var options = args[0];
   var cb = args[1];
+  const allowUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0';
+
+  if (allowUnauthorized && warnOnAllowUnauthorized) {
+    warnOnAllowUnauthorized = false;
+    process.emitWarning('Setting the NODE_TLS_REJECT_UNAUTHORIZED ' +
+                        'environment variable to \'0\' makes TLS connections ' +
+                        'and HTTPS requests insecure by disabling ' +
+                        'certificate verification.');
+  }
 
   var defaults = {
-    rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED,
+    rejectUnauthorized: !allowUnauthorized,
     ciphers: tls.DEFAULT_CIPHERS,
     checkServerIdentity: tls.checkServerIdentity,
     minDHSize: 1024

test/parallel/test-https-strict.js

@@ -28,6 +28,14 @@ if (!common.hasCrypto)
 // disable strict server certificate validation by the client
 process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
 
+common.expectWarning(
+  'Warning',
+  'Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to \'0\' ' +
+  'makes TLS connections and HTTPS requests insecure by disabling ' +
+  'certificate verification.',
+  common.noWarnCode
+);
+
 const assert = require('assert');
 const https = require('https');