Nodejs TLS with self-signed Certificate Authority
Question
Background:
I'm trying to communicate between a server and one (should be able to be multiple - hence the need of a CA) client through TLS.
Each node has a certificate that is signed with a common CA. The CA is in turn self-signed.
The private key of each node is exported as key.pem . The certificate of each node is exported as certificate.crt . The CA certificate is exported as ca.crt . The certificates are not bundled, just exported as is.
The server uses the following setup:
var tls = require("tls");
var fs = require("fs");
var options = {
key: fs.readFileSync("keys/key.pem", "utf8"),
cert: fs.readFileSync("keys/certificate.crt", "utf8"),
requestCert: true,
rejectUnauthorized: true,
ca: [fs.readFileSync('keys/ca.crt')]
}
var server = tls.createServer(options, function(res) {
console.log("Client connected");
console.log('Client connected',
res.authorized ? 'authorized' : 'unauthorized');
res.write("Hello World!");
res.setEncoding("utf8");
res.pipe(res);
}).listen(3000);
The client uses the following setup:
var tls = require("tls");
var fs = require("fs");
var options = {
key: fs.readFileSync("keys/key.pem", "utf8"),
cert: fs.readFileSync("keys/certificate.crt", "utf8"),
requestCert: true,
rejectUnauthorized: true,
ca: [fs.readFileSync('keys/ca.crt')]
}
var client = tls.connect(3000, options, function(){
console.log("Connected to server");
console.log(client.authorized ? "Authorized" : "Not authorized");
});
client.on("data", function(data){
console.log("Received from server", data);
client.end();
});
Note on keys / certificates:
The keys and certificates are generated with the openssl GUI / manager XCA.
The tree looks as follows:
The problem:
As you can see I am using explicit client certificate authentication and I want to disallow any non-permitted connections.
The problem with this is that the client is not able to connect, even though all the certificates come from the same CA.
The error I get from both the server (when a client connects) and the client(when it connects) is:
Error: socket hang up, code: ECONNRESET
If I disable rejectUnauthorized the client can connect, but res.authorized returns false.
What is causing authorised clients to not being able to be authenticated?
1 answers
solution1
0 2016-11-18 12:08:47
Your code is fine. I expect there is a problem with your certificates. The fact that there is no expiry date sticks out to me. I have found this OpenSSL Certificate Authority by Jamie Nguyen to be very useful. Remember that Nodejs does not support multiple certificates in one cert file, so if you are following the guide, there is no need to copy the root ca and intermediate ca into one file. You will have to add them as separate file entries in the ca list argument.
Afaik the xca tool is build on openssl, so might be able to map the commands in openssl to xca.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.