堆栈内存溢出
  简体   繁体   English

在服务器端检测客户端是否拒绝我的 TLS 证书

[英]Detect on the server-side if a client rejects my TLS certificate

 原文  2018-08-29 23:39:09       javascript/ node.js/ ssl/ https/ error-handling

问题描述

I'm building an HTTP proxy in Node.js, which attempts to intercept HTTPS connections, using a self-signed certificate.我正在 Node.js 中构建一个 HTTP 代理,它尝试使用自签名证书拦截 HTTPS 连接。 I'm using a bare http.Server , instantiating my own tls.TLSSocket to upgrade sockets as required, and the functionality all works great when the CA is trusted by the client.我正在使用一个裸http.Server ,实例化我自己的tls.TLSSocket以根据需要升级套接字,并且当客户端信任 CA 时,这些功能都很tls.TLSSocket

If the client isn't configured with the CA though, it obviously rejects the connection, complaining that there's a self-signed certificate in the chain.如果客户端没有配置 CA,它显然会拒绝连接,抱怨链中有一个自签名证书。

That's all as it should be, but I'd like a way to detect that this has happened from the server-side, so I can prompt the user to correctly configure their client.这一切都应该如此,但我想要一种方法来检测服务器端是否发生了这种情况,以便我可以提示用户正确配置他们的客户端。

Is it possible to do this?是否有可能做到这一点? It seems the TLS RFC ( https://tools.ietf.org/html/rfc5246#section-7.2.2 ) has quite a few error alert messages about certificate rejections, which I would expect to cover this, but I can't see to see any debug info in Node about those even with NODE_DEBUG=tls .似乎 TLS RFC ( https://tools.ietf.org/html/rfc5246#section-7.2.2 ) 有很多关于证书拒绝的错误警报消息,我希望涵盖这一点,但我不能see 查看 Node 中的任何调试信息,即使使用NODE_DEBUG=tls

Really I'd like to subscribe to TLS error alert events, so I can react to the various interesting cases in there directly.我真的很想订阅 TLS 错误警报事件,这样我就可以直接对那里的各种有趣案例做出反应。 How can I do that?我怎样才能做到这一点?

1 个解决方案

解决方案1
 1 已采纳  2018-08-30 05:25:20

Usually all what you see is that the client closes the connection.通常你看到的只是客户端关闭了连接。 Some clients might send an alert, others don't - the exact behavior depends on the TLS stack.某些客户端可能会发送警报,而其他客户端则不会 - 确切的行为取决于 TLS 堆栈。 Anyway, you could not redirect the client from within this dead connection anyway.无论如何,您无论如何都无法从这个死连接中重定向客户端。

What you might try is to have some initial page served with plain HTTP where you include some image or similar from a HTTPS resource using a certificate signed with your CA.您可能会尝试使用纯 HTTP 提供一些初始页面,其中您使用 CA 签署的证书包含来自 HTTPS 资源的一些图像或类似内容。 With some script you can detect if the client has successfully loaded the image or not and in the latter case you can show your information about needing to install some certificate.使用一些脚本,您可以检测客户端是否已成功加载图像,在后一种情况下,您可以显示有关需要安装某些证书的信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我的游戏的客户端和服务器端验证 - Both client-side and server-side validation for my game 客户端或服务器端处理? - Client-side or server-side processing? 服务器端和客户端JavaScript - Server-side and client-side JavaScript 客户端还是服务器端框架? - Client-side or server-side framework? 如何将服务器端ASP XmlHttpRequest代码转换为客户端JavaScript? - How do I convert my server-side ASP XmlHttpRequest code to client-side JavaScript? 如何在客户端而不是服务器端将我的哈巴狗文件渲染到 html - How do I render my pug files to html on the client-side instead of server-side 混合客户端/服务器端测试 - Mixing Client-/Server-Side Tests 将客户端数据传递到服务器端方法 - Passing client data to server-side methods Meteor:客户端调用服务器端方法 - Meteor: Call server-side method by client 有没有一种方法可以在客户端检测证书是否无效? - Is there a way to detect if the certificate is invalid on the client side?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM