My node.js https client always works regardless of the validity of the certificate

Question

My node.js https client always works regardless of the validity of the certificate

This test program connects to the https server and receives some content. I checked my server in browsers and with curls, and the certificate works correctly. If I run curl to grab data from the server, it correctly complains about the unknown certificate, if I do not transfer it with -cacert or disable protection with -k.

So the problem is that although I think that my client should authenticate the certificate and I say where the public certificate is, it always works. If I remove the ca: option so that it does not know what the certificate is from the server, it silently works. I would like to catch an authentication error, but I cannot do this.

var https = require('https'); var fs = require('fs'); function main() { var data = ''; var get = https.get({ path: '/', host: 'localhost', port: 8000, agent: false, ca: [ fs.readFileSync('https_simple/cacert.pem') ] }, function(x) { x.setEncoding('utf8'); x.on('data', function(c) {data += c}); x.on('error', function(e) { throw e; }); x.on('end', function() { console.log('Hai!. Here is the response:'); console.log(data); }); }); get.on('error', function(e) {throw e}); get.end(); } main();

+6

javascript node.js https httpclient

justinhj Apr 13 '12 at 14:10

source share

4 answers

According to the documentation for https.request the ca parameter of both https.get and https.request is an option from tls.connect . The documentation for the tls.connect module function parameters reads as follows:

ca : an array of strings or a buffer of trusted certificates. If this is omitted, several well-known "root" CAs, like VeriSign. They are used to authorize connections.

Digging into the source node.js, the root certificates used can be found here: https://github.com/joyent/node/blob/master/src/node_root_certs.h

In short, without the cert certificate provided as the https.get option, the https.get module will try to authenticate the connection using the list of root certificates.

+4

Pero P. Apr 17 '12 at 21:59

source share

I do this in npm using the request module. This happens as follows:

 var cacert = ... // in npm, this is a config setting var request = require("request") request.get({ url: "https://...", ca: cacert, strictSSL: true }) .on("response", function (resp) { ... }) .on("error", function (er) { ... })

An error event will be raised if ssl is invalid.

+2

isaacs Apr 20 '12 at 5:14

source share

In V 0.6.15, you need to explicitly check whether the certificate verification passed or failed.

 if (x.connection.authorized === false) { console.log('SSL Authentication failed'); } else if (x.connection.authorized === true) { console.log('SSL Authentication succeeded'); }

+1

Old pro Apr 19 '12 at 5:38

source share

justinhj · Accepted Answer · 2012-04-20T03:55:18+0000

To do this, I needed to switch to v0.7.8 (although any v0.7 should be fine), where the rejectUnauthorized function was added to https.get

This combination of parameters is required:

 agent: false, // or you can supply your own agent, but if you don't you must set to false rejectUnauthorized: true, ca: [ fs.readFileSync('https_simple/cacert.pem') ]

Now, if authentication fails, you will receive an error event and the request will not continue.

For more information on creating your own agent, see the https.request documentation.

A bug fix was fixed in this change: https://github.com/joyent/node/commit/f8c335d0

My node.js https client always works regardless of the validity of the certificate

More articles: