简体繁体 English

使用SSL保护来自节点的服务调用

[英]Securing Service calls from node using ssl

原文 2016-05-05 06:47:01 0 1 node.js/ security/ ssl/ https/ ssl-certificate

I am trying to securing the service calls that are made from my node to other services secure. 我试图保护从我的节点到其他服务的服务调用的安全。 All the other services have enabled https. 所有其他服务均已启用https。 I tried the following methods 我尝试了以下方法

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'

which as per my understanding ignores all error so removed from the code becuase of certificates 根据我的理解，它会忽略所有由于证书而从代码中删除的错误

I am using request module. 我正在使用request模块。 where we can configure 我们可以在哪里配置
key - provided my private key file, key -提供了我的私钥文件，
cert - provided my certificate file cert提供了我的证书文件
ca - certificate authorty chain ca -证书authorty链
then it was throwing UNABLE_TO_VERIFY_LEAF_SIGNATURE 然后就扔了UNABLE_TO_VERIFY_LEAF_SIGNATURE

I found out that node doesn't read ca from the system. 我发现该节点未从系统读取ca。 it has its own ca chain So I included node-ssl-root-cas which fetched latest cas from internet. 它有自己的ca链，所以我加入了node-ssl-root-cas ，它可以从互联网上获取最新的cas。

Then using ssl-analyser, i was able to find my domain doesn't have intermediate ca certificate 然后使用ssl-analyser，我能够发现我的域没有中间的ca证书

I downloaded that from our ca and made a ca chain and attached it to ssl-root-cas 我从我们的ca下载并制作了ca链，并将其附加到ssl-root-cas

Then i was able to make requests successfully 这样我就可以成功发出请求

But Even if I remove key and cert from my request i am able to make request and get result. 但是，即使我从请求中删除密钥和证书，我也可以提出请求并获得结果。

How can I check my request and response are actually encrypted? 如何检查我的请求和响应是否已加密？

Or node just ignoring errors, 或节点只是忽略错误，

1 个解决方案

FYI, Node will use the certificate auhtorities installed on the system if you don't provide your own with the "ca" property. 仅供参考，如果您不向自己提供“ ca”属性，则Node将使用系统上安装的证书附件。 When you do provide your own, the system ones are ignored. 当您提供自己的时，系统的将被忽略。 This is by design, as providing your own CA likely means that you want to only trust certificates signed by your own CA. 这是设计使然，因为提供您自己的CA可能意味着您只希望信任自己的CA签名的证书。 If you aren't using your own CA, you can skip setting the "ca" property. 如果您不使用自己的CA，则可以跳过设置“ ca”属性。 If you are, then I'm not sure why you would need to provide the full list of commonly trusted CAs as well. 如果是这样，那么我不确定为什么还要提供通常信任的CA的完整列表。 That seems like a pretty odd use case. 这似乎是一个很奇怪的用例。

You can use the https module to make requests without providing your own key and cert. 您可以使用https模块发出请求，而无需提供自己的密钥和证书。 This is expected and documented behaviour. 这是预期的并有记录的行为。 For technical reasons, when making any https requests, more specifically opening any TLS socket, the client also needs to have a private key and certificate. 出于技术原因，在发出任何https请求（更具体地说是打开任何TLS套接字）时，客户端还需要具有私钥和证书。 In the default case, the server doesn't verify the client in any way, so browsers use what's commonly referred to as a "snakeoil" certificate - a bundled self signed certificate. 在默认情况下，服务器不会以任何方式验证客户端，因此浏览器使用通常称为“ snakeoil”证书（捆绑的自签名证书）的证书。

The use case for providing your own key and cert when performing https requests, is when the server has client certificate checks enabled. 当执行https请求时，用于提供您自己的密钥和证书的用例是服务器启用了客户端证书检查的情况。 For example, when connecting to Apple's servers for delivering push messages to iOS, you have a client certificate issued by Apple that Apple's servers uses to verify that you have access to send push messages (the certificate was issued by Apple) and which app you are sending to (the fingerprint/checksum of the certificate). 例如，在连接到Apple的服务器以将推送消息传递到iOS时，您拥有Apple颁发的客户端证书，Apple的服务器使用该证书来验证您是否有权发送推送消息（证书是由Apple颁发的），以及您是哪个应用发送至（证书的指纹/校验和）。

Unless the https services you talk to require specific client certificates, you're better off not setting "key" and "cert" - there's no real reason to do that. 除非与您交谈的https服务需要特定的客户端证书，否则最好不要设置“密钥”和“证书”-没有真正的理由这样做。

So, in summary, you can probably skip setting all three of key, cert and ca, as the real problem seemed to be your mis-configured server (it didn't serve the CA chain). 因此，总而言之，您可能可以跳过设置密钥cert和ca的全部三个操作，因为真正的问题似乎是配置错误的服务器（它不服务于CA链）。