You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.
I've noticed a peculiar behavior of the https module with regard to Firefox closing connections for untrusted certificates. In the demo below, I use a self-signed certificate generated by the pem module, but the same principle can be applied to any untrusted certificate (for example, I was able to cause the same issue by deleting the Startcom signing certificates from Firefox and attempting to connect to a server with a StartSSL cert).
What happens is that as soon as a Firefox client that doesn't trust the certificate terminates its connection, the https server fires a clientError event with an SSL error-- except this event is fired on a random socket that has no relation to the Firefox client. I determined this by gathering several different Chrome users, having them all connect to a server I controlled, and observing the errors logged when I connect with Firefox.
Steps to reproduce:
Download server.js and index.html as listed below
Install the pem module
Start the server, and navigate Chromium to https://localhost:4444
Click Advanced and Proceed to localhost (unsafe)
Navigate Firefox to https://localhost:4444
Observe that as soon as the Untrusted Connection page displays in Firefox, a clientError is triggered on the server, but on the Chromium client:
Error: 140173278586688:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1461:SSL alert number 48
at Error (native)
Triggered on client with UA: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Demo:
server.js
varhttps=require('https');varpem=require('pem');varfs=require('fs');varindexHtml=fs.readFileSync('index.html');pem.createCertificate({days: 10,selfSigned: true},function(err,keys){if(err)throwerr;varhttpServer=https.createServer({key: keys.serviceKey,cert: keys.certificate},function(req,res){req.socket.userAgent=req.headers['user-agent'];res.writeHead('200',{'Content-Type': 'text/html','Content-Length': indexHtml.length});res.end(indexHtml);});httpServer.on('clientError',function(err,socket){console.log(err.stack);console.log('Triggered on client with UA: '+socket.userAgent);});httpServer.listen(4444);});
I've noticed a peculiar behavior of the
https
module with regard to Firefox closing connections for untrusted certificates. In the demo below, I use a self-signed certificate generated by thepem
module, but the same principle can be applied to any untrusted certificate (for example, I was able to cause the same issue by deleting the Startcom signing certificates from Firefox and attempting to connect to a server with a StartSSL cert).What happens is that as soon as a Firefox client that doesn't trust the certificate terminates its connection, the
https
server fires aclientError
event with an SSL error-- except this event is fired on a random socket that has no relation to the Firefox client. I determined this by gathering several different Chrome users, having them all connect to a server I controlled, and observing the errors logged when I connect with Firefox.Steps to reproduce:
Download server.js and index.html as listed below
Install the
pem
moduleStart the server, and navigate Chromium to
https://localhost:4444
Navigate Firefox to
https://localhost:4444
Observe that as soon as the Untrusted Connection page displays in Firefox, a
clientError
is triggered on the server, but on the Chromium client:Demo:
server.js
index.html
I am using node.js v0.12.2 on Arch Linux. The issue is not reproducible on v0.10.35 on the same machine.
I believe this is the underlying cause of websockets/ws#477.
The text was updated successfully, but these errors were encountered: