New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add two way SSL authentication #18
Conversation
Please keep it consistent and don't use camelCase in command line arguments. |
I think the capital C makes sense. Lower case is for the server cert, uppercase is the client cert. |
Add two way SSL authentication
Thanks Ted! |
I followed the instructions for two way authentication and it did not work for me. (Node 0.10.5 and spdyproxy 0.2.4). No auth / password auth works for me. But when using two way auth, Chrome would prompt for the certificate to submit to the server, but the server does not show any logs, the connection doesn't work neither. Any idea? Thanks! |
@zhaostu "no auth/password auth works for me" - even the regular HTTP auth? I'm not sure I would expect the server to log any anything for certificate validation. Besides, the validation here should happen between the client and spdy-proxy, not the destination server (that's a whole separate discussion). |
@igrigorik Sorry for the confusion. What I really meant was "Without authentication (that everyone can access the proxy) and password authentication (using Basic HTTP Auth) both worked for me." A little bit more details: I used StartSSL to sign my server cert, and I used the server cert (with linked CA certs) to sign a client cert (as described in the README), import the pfx file to Chrome, when I try to use the proxy, Chrome will prompt me a dialog asking me if I want to submit the client cert (means the -C worked). But after I click OK, Chrome will complain about proxy error. Any ideas? Thanks for the work! |
The StartSSL signed server cert was not permitted to sign client cert, there is a Key Usage field in signed certificate, by default it only allow SSL communication. you have to become a intermediate CA to sign client certs. To be short, Chrome will not use the client cert because it is invalid. |
@zhaostu you can still use the StartSSL certificate as ssl certificate but use self signed CA to sign client certs, just use -a and -c to specific different certs spdyproxy -k keys/startssl.pem -c keys/startssl.cer -p 44300 -a keys/selfSignRootCA.pem -C |
@fengxx Thanks Ted! That now makes a lot of sense now! Also, |
yes, it holds the public key. |
@fengxx @igrigorik Thanks guys, I created my own root CA and it worked. I'll suggest to put that in the README file so that others that have the same problem can understand this. Thanks again! |
pass rejectUnauthorized and requestCert to ssl server, refer to
http://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
Add instructions to generate client certificate.