Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Support for X509, OCSP, CRL, ASN1 and TLS session details. #3662

Closed
rmhrisk opened this Issue · 12 comments

6 participants

@rmhrisk

Go currently has support for a ton of rich information about TLS and PKI related objects, see: http://golang.org/pkg/ and the TLS, X509 and PKIX objects.

Go's coverage isnt perfect but its enough to do some cool stuff that today can't be done directly in Node.

I would love to see this stuff exposed in node also, a few examples this would enable include:

  1. SSL configuration checker - https://www.ssllabs.com/ssltest/index.html
  2. Certificate Crawler - https://www.eff.org/observatory
  3. SSL support tools - http://www.sslshopper.com/ssl-certificate-tools.html
  4. ASN1 diagostics - http://www.lapo.it/asn1js/

Ryan

@ksdlck

Pretty sorry to see this go totally unanswered; these features are absolutely essential for Node users to be able to write secure and security-related software. At the very least, OCSP support is absolutely mandatory for secure TLS. ASN.1 has traditionally been very difficult and complex to implement, but OCSP support for TLS can be exposed just by an extension of the TLS binding; OpenSSL already supports it internally. Can we get at least a response to this?

@bnoordhuis

Can we get at least a response to this?

Of course. The official response is (no snark intended): we take patches.

@rmhrisk

I have on my list to see about contributing something here at some point but in the meantime I had a simple restful web service thrown together that does some of this: http://unmitigatedrisk.com/?p=206 people can use, I will also post the source on GitHub soon (its in golang).

@stuartpb

I heard the TLS module is getting some fairly serious overhauls for 0.11 / 0.12. Is any of this on the way? @indutny?

@indutny
Owner

There is no point in ASN.1 in core, since you could do it in user-land, for example: https://www.npmjs.org/package/asn1.js . And OCSP is definitely in my future plans, but not for v0.12 as we are trying to release it now.

@indutny indutny added this to the v0.13 milestone
@jasnell
Owner

@indutny ... any further thoughts on this one?

@rmhrisk

Since this issue was opened a friend and I did this : https://pkijs.org

@ghost
@jasnell
Owner

@rmhrisk :+1: userland solutions are awesome. If you feel there's still a need for this functionality in core, let us know and we can reopen this issue.

@jasnell jasnell closed this
@stuartpb

Doesn't core TLS still need to be extended to support OCSP?

@rmhrisk

Would also be nice if there was a polyfill for webcrypto so user land could do crypto securely

@indutny
Owner

It does support OCSP already!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.