My node.js https client always works regardless of the validity of the certificate

This test program connects to the https server and receives some content. I checked my server in browsers and with curls, and the certificate works correctly. If I run curl to grab data from the server, it correctly complains about the unknown certificate, if I do not transfer it with -cacert or disable protection with -k.

So the problem is that although I think that my client should authenticate the certificate and I say where the public certificate is, it always works. If I remove the ca: option so that it does not know what the certificate is from the server, it silently works. I would like to catch an authentication error, but I cannot do this.

var https = require('https'); var fs = require('fs'); function main() { var data = ''; var get = https.get({ path: '/', host: 'localhost', port: 8000, agent: false, ca: [ fs.readFileSync('https_simple/cacert.pem') ] }, function(x) { x.setEncoding('utf8'); x.on('data', function(c) {data += c}); x.on('error', function(e) { throw e; }); x.on('end', function() { console.log('Hai!. Here is the response:'); console.log(data); }); }); get.on('error', function(e) {throw e}); get.end(); } main(); 
+6
source share
4 answers

To do this, I needed to switch to v0.7.8 (although any v0.7 should be fine), where the rejectUnauthorized function was added to https.get

This combination of parameters is required:

 agent: false, // or you can supply your own agent, but if you don't you must set to false rejectUnauthorized: true, ca: [ fs.readFileSync('https_simple/cacert.pem') ] 

Now, if authentication fails, you will receive an error event and the request will not continue.

For more information on creating your own agent, see the https.request documentation.

A bug fix was fixed in this change: https://github.com/joyent/node/commit/f8c335d0

+10
source

According to the documentation for https.request the ca parameter of both https.get and https.request is an option from tls.connect . The documentation for the tls.connect module function parameters reads as follows:

ca : an array of strings or a buffer of trusted certificates. If this is omitted, several well-known "root" CAs, like VeriSign. They are used to authorize connections.

Digging into the source node.js, the root certificates used can be found here: https://github.com/joyent/node/blob/master/src/node_root_certs.h

In short, without the cert certificate provided as the https.get option, the https.get module will try to authenticate the connection using the list of root certificates.

+4
source

I do this in npm using the request module. This happens as follows:

 var cacert = ... // in npm, this is a config setting var request = require("request") request.get({ url: "https://...", ca: cacert, strictSSL: true }) .on("response", function (resp) { ... }) .on("error", function (er) { ... }) 

An error event will be raised if ssl is invalid.

+2
source

In V 0.6.15, you need to explicitly check whether the certificate verification passed or failed.

 if (x.connection.authorized === false) { console.log('SSL Authentication failed'); } else if (x.connection.authorized === true) { console.log('SSL Authentication succeeded'); } 
+1
source

Source: https://habr.com/ru/post/913135/


All Articles