使用椭圆曲线密钥创建服务器和客户端时,使用Node JS TLS密码和密码选项(无共享密码套件错误)
[英]Using Node JS TLS passphrase and cipher options when creating a server and client using elliptic curve keys (no shared cipher suites error)
问题描述
In relation to this question , I am trying to start a TLS server in node.js to reflect the one I created in OpenSSL. 
关于此问题 ,我试图在node.js中启动TLS服务器以反映我在OpenSSL中创建的TLS服务器。 I have tested the client and server using OpenSSL from the command line and they successfully make a connection. 我已经从命令行使用OpenSSL测试了客户端和服务器,它们成功建立了连接。 When I try to port the server to node.js (and still connect to it with an OpenSSL client), I receive a 'no shared cipher' error. 当我尝试将服务器移植到node.js时(仍然通过OpenSSL客户端连接到它),我收到“没有共享密码”错误。 I am wondering if there is something special I need to do when using the passphrase option with tls.createServer() 我想知道在与tls.createServer()一起使用passphrase选项时是否需要做一些特别的事情
Below are my successful OpenSSL commands for server and client respectively, note that the passphrase.txt file contains a single line that is the passphrase: 以下是我分别用于服务器和客户端的成功的OpenSSL命令,请注意,passphrase.txt文件包含一行,即密码短语:
$ openssl s_server -accept 8888 -cert server.cert -key server.key -pass file:passphrase.txt -CAfile ca.cert
$ openssl s_client -connect 127.0.0.1:8888 -cert client.cert -key client.key -pass file:passphrase.txt -CAfile ca.cert
I can also make a successful connection if I specify a cipher for the client and/or server with the additional argument of -cipher 'ECDHE-ECDSA-AES128-GCM-SHA256' . 如果我使用-cipher 'ECDHE-ECDSA-AES128-GCM-SHA256'的附加参数为客户端和/或服务器指定密码,则也可以成功建立连接。 I am using elliptic curve keys generated with openssl ecparam and signed with a CA created using openssl ca as discussed in my previous question . 我使用的是由openssl ecparam生成的椭圆曲线键,并使用通过openssl ca创建的CA进行签名,如上一个问题所述 。
The server code written in node.js looks like this: 用node.js编写的服务器代码如下所示:
var tls = require('tls');
var fs = require('fs');
var msg = '***********\n\nHello there secure client!\n\n***********';
var port = 8888;
var host = 'localhost';
var options = {
cert : fs.readFileSync('server.cert'),
key : fs.readFileSync('server.key'),
passphrase : (fs.readFileSync('passphrase.txt')).toString(),
ca : fs.readFileSync('ca.cert'),
// ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256',
// requestCert : true,
// rejectUnauthorized : true
};
tls.createServer(options, function(cleartextStream) {
if (cleartextStream.authorized) {
console.log('Server-side connection authorized by a Certificate Authority.');
} else {
// TODO this code does not appear to get executed even on failed connections
console.log('Server-side connection not authorized: ' + cleartextStream.authorizationError);
}
// send the server message to the client
cleartextStream.write(msg);
cleartextStream.setEncoding('utf8');
cleartextStream.pipe(cleartextStream);
}).listen(port, function() {
console.log('Server started on port: ' + port);
}).on('clientError', function(err){
console.log('A failed client connection attempt occurred.');
console.error(err);
console.log();
});
After calling the above code with node tlsServer.js and attempting to connect with an OpenSSL client on the command line, I receive the following messages. 在使用node tlsServer.js调用上述代码并尝试在命令行上与OpenSSL客户端连接后,我收到以下消息。
SERVER: 服务器:
$ node tlsServer.js
Server started on port: 8888
<< client started here >>
A failed client connection attempt occurred.
[Error: 6396:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:openssl\ssl\s3_srvr.c:1132:
]
CLIENT: 客户:
$ openssl s_client -connect 127.0.0.1:8888 -cert client.cert -key client.key -pass file:passphrase.txt -CAfile ca.cert
CONNECTED(00000003)
2674688:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I am using node v0.6.15. 我正在使用节点v0.6.15。 And the errors do not change when I uncomment the ciphers , requestCert , and rejectUnauthorized in the options list sent to tls.createServer() . 当我取消注释发送到tls.createServer()的选项列表中的ciphers , requestCert和rejectUnauthorized时,错误不会更改。 I also have a node.js cersion of the client, and I get a socket hang up code ECONNRESET when I attempt to connect to the node server, and the following error when trying to connect to a OpenSSL server: 我还有客户端的node.js cersion,尝试连接到节点服务器时收到套接字挂起代码ECONNRESET,而尝试连接到OpenSSL服务器时出现以下错误:
Connection to localhost:8888 could not be made.
[Error: 6968:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:openssl\ssl\s23_clnt.c:602:
]
Thanks in advance for your help and ideas! 预先感谢您的帮助和想法!
1 个解决方案
解决方案1
0 已采纳 2012-04-18 01:03:06
If the passphrase is wrong, maybe. 如果密码错误,也许可以。 Try removing it. 尝试将其删除。
However, no_shared_cipher is an error raised when the client can't agree on a cipher suit with the server . 但是,当客户端无法与服务器协商密码时, no_shared_cipher会引发错误。 Try first removing the cipher suit restriction on the server and seeing what it negotiates to use to isolate the problem. 尝试首先删除服务器上的密码套件限制,然后查看服务器协商使用什么来隔离问题。 If this works, then place one with the client and see what happens. 如果可行,则与客户放在一起,看看会发生什么。
Also, can you check that node is using the same openssl library as the openssl command. 另外,您是否可以检查节点是否使用与openssl命令相同的openssl库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.