.getPeerCertificate() on https.request()

[mykiimike]

• Version: v4.4.6
• Platform: Linux xxx 3.16.0-76-generic Updated README with less node.js-centric content, and more Node Forward. #98~14.04.1-Ubuntu SMP Fri Jun 24 17:04:54 UTC 2016
• Subsystem: n/a

Hi

.getPeerCertificate() does not returned fingerprint after first https.request(). It seems to be a problem with https.agent. If i set agent to false during https.request(opts) then i got correctly the fingerprint at each time.

Here is an example:

const https = require("https");

function request() {
    var options = {
        hostname: 'www.google.com',
        port: 443,
        path: "/",
        method: 'GET',
        // turning this to True makes fingerprint works again (agent's connections are closed);
        //agent: false, 
        rejectUnauthorized: false
    };

    var req = https.request(options, (res) => {
        res.fingerprint = res.connection.getPeerCertificate().fingerprint;
        var data = '';
        res.on('data', (d) => {
            data += d;
        });
        res.on('end', () => {
            console.log("got data", res.fingerprint);
            setTimeout(request, 1000);
        });

    }).on('error', (e) => {
        console.error(e);
    });
    req.end();
}

request();

[mykiimike]

Maybe other tlsSocket fields are affected.

[bnoordhuis]

That is an unfortunate side effect of TLS session resumption. In your example, the first connection does a full TLS handshake but subsequent connections do an abridged version based on the previously established TLS session (which persists across connections.)

It's good for performance reasons (it cuts the number of TCP round-trips in half) but it loses the TLS connection metadata.

The reason it works as you expect it to with { agent: false } is that it creates a new session for every connection.

[mykiimike]

Thanks,

It depends the way you want to provide the application's subsystem. It doesn't really matter to me but the question is: is it a normal behaviour for a normal guy I would say :)
Actually the agent is something transparent (almost opaque) for the famous normal guy, no?

Cheers
Michael

[bnoordhuis]

cc @nodejs/documentation - the documentation for getPeerCertificate() and the HTTPS agent should clarify that resumed sessions lack the peer's certificate info.

@mykiimike You're welcome to submit a PR too, of course. :-)

[mykiimike]

I will try to find some free time to do it 👍

[Trott]

A PR would be welcome.

This issue has been inactive for sufficiently long that it seems like perhaps it should be closed. Feel free to re-open (or leave a comment requesting that it be re-opened) if you disagree. I'm just tidying up and not acting on a super-strong opinion or anything like that.