Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement TLS #8

Closed
btbonval opened this issue Sep 24, 2013 · 7 comments
Closed

Implement TLS #8

btbonval opened this issue Sep 24, 2013 · 7 comments
Labels
enhancement

Comments

@btbonval
Copy link
Owner

Whip together some test certs, replace var tls = require('net'); with var tls = require('tls');, and fill in the options for cert/key/etc.

http://nodejs.org/api/tls.html
@btbonval
Copy link
Owner Author

Server side is written but untested as of commit f352f31

@btbonval
Copy link
Owner Author

Client side is written as of commit e9761ae

Originally got this error:

(env)bryan@zetool-m ~/Documents/programmin/git/DogiAdmin $ node client.js 

events.js:72
        throw er; // Unhandled 'error' event
              ^
Error: Hostname/IP doesn't match certificate's altnames

That should have been fixed, but the error persists with node.js tls. However, openssl s_client works (connects to the server, sends data back and forth with server):

openssl s_client -connect 127.0.0.1:8064 -CAfile test/x509/certs/CA1.ca.crt -cert test/x509/certs/CERT1B.crt -key test/x509/certs/CERT1B.rsa

Compare to the client configuration file:

    "keyfile": "test/x509/certs/CERT1B.rsa",
    "certfile": "test/x509/certs/CERT1B.crt",
    "cafile": "test/x509/certs/CA1.ca.crt",

Client and Server are both configured for "rejectUnauthorized": true, which is what SO says the problem seems to be.
http://www.serverfault.com/questions/522845/ssl-error-self-signed-certificate-in-certi

@btbonval
Copy link
Owner Author 

$ openssl s_client -connect 127.0.0.1:8064 -CAfile test/x509/certs/CA1.ca.crt -cert test/x509/certs/CERT1B.crt -key test/x509/certs/CERT1B.rsa -policy_check -x509_strict -issuer_checks
...
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=29:subject issuer mismatch
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=29:subject issuer mismatch
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=18:self signed certificate
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=29:subject issuer mismatch
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=29:subject issuer mismatch
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=27:certificate not trusted
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify error:num=29:subject issuer mismatch
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify return:1
...
    Start Time: 1380087312
    Timeout   : 300 (sec)
    Verify return code: 29 (subject issuer mismatch)

Still connected, but these errors are new as of the issuer_checks flag. Without the flag, everything works:

$ openssl s_client -connect 127.0.0.1:8064 -CAfile test/x509/certs/CA1.ca.crt -cert test/x509/certs/CERT1B.crt -key test/x509/certs/CERT1B.rsa -policy_check -x509_strict
...
depth=1 L = Internet, O = Admin, CN = internet.admin
verify return:1
depth=0 L = Internet, O = User, CN = internet.user
verify return:1
...
    Start Time: 1380087411
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Changing "rejectUnauthorized: false" in the client config did not allow the client to connect.

@btbonval
Copy link
Owner Author

In other news:

  • if the client connects with a certificate that was signed by a different CA, the server disconnects the client. (yay)
  • if the client connects trusting a different CA, it will disconnect from the server crying about a bad cert signature. (yay)

Now we just need the client to connect to the server in good conditions

@btbonval
Copy link
Owner Author

Client cerficate:

[extensions]
basicConstraints=critical, CA:FALSE
keyUsage=critical, digitalSignature, dataEncipherment
subjectAltName = @hostnames

[hostnames]
DNS.1 = localhost
IP.1 = 127.0.0.1

Client has been asked to connect to alternatively localhost and 127.0.0.1 with the same results. s_client is fine with it. bug in node.js tls?

try/catch cannot seem to grab this error. stack trace:

events.js:72
        throw er; // Unhandled 'error' event
              ^

Error: Hostname/IP doesn't match certificate's altnames
    at SecurePair.<anonymous> (tls.js:1366:23)
    at SecurePair.EventEmitter.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:970:10)
    at CleartextStream.read [as _read] (tls.js:463:15)
    at CleartextStream.Readable.read (_stream_readable.js:320:10)
    at EncryptedStream.write [as _write] (tls.js:366:25)
    at doWrite (_stream_writable.js:221:10)
    at writeOrBuffer (_stream_writable.js:211:5)
    at EncryptedStream.Writable.write (_stream_writable.js:180:11)
    at write (_stream_readable.js:583:24)

@btbonval
Copy link
Owner Author

Might be an upstream problem.
http://stackoverflow.com/questions/14088787/hostname-ip-doesnt-match-certificates-altname

(this is now a bug)

@btbonval btbonval mentioned this issue Sep 25, 2013
Closed
@btbonval
Copy link
Owner Author

Technically this is implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@btbonval