1
votes

EDITED

I am trying to get SSL working on an app, but I just can't get it to work. I am having problems troubleshooting the problem.

I have created a basic app to test it:

var https = require('https');
var fs = require('fs');

var options = {
  key: fs.readFileSync('./ssl/server_key.pem'),
  cert: fs.readFileSync('./ssl/server_crt.pem'),
  passphrase: 'mypassphrase',
  ca: fs.readFileSync('./ssl/cacert.pem'),
  requestCert: true,
  rejectUnauthorized: false
};

https.createServer(options, function (req, res) {
  console.log('req.client.authorized: %s', req.client.authorized);
  if (req.client.authorized) {
    res.writeHead(200);
    res.end("hello world\n");
  }
  else {
    res.writeHead(404);
    res.end("Not authorised\n");
  }

}).listen(3000);
console.log('Server started...');

I have created the certificates using Ubuntu Documentation on OpenSSL. The process I used was:

  1. Create Certificate Authority Root Certificate and Key

    export OPENSSL_CONF=~/myCA/caconfig.cnf

    openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825

    which generates: the CA public certificate 'cacert.pem'; and CA private key 'cakey.pem'

  2. Create Self-Signed Server Certificate

    export OPENSSL_CONF=~/myCA/exampleserver.cnf

    openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM

    mv tempkey.pem server_key.pem

    export OPENSSL_CONF=~/myCA/caconfig.cnf

    openssl ca -in tempreq.pem -out server_crt.pem

    which generates: Server application certificate file 'server_crt.pem'; and Server application key file 'server_key.pem'.

  3. Create PKCS#12 certificate from server's Root CA X.509 certificate for client use

    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

    openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for MySite"

    Which results in the file 'mycert.pfx'.

  4. Copy files to app's ssl directory

    I copy the files 'cacert.pem', 'server_key.pem', and 'server_crt.pem' to the ssl directory of the app.

  5. Import file 'mycert.pfx' into Firefox via Firefox's built-in Certificate Manager (I import it into the tab marked 'Your Certificates').

  6. Enter URL (https://ssl:3000) into Firefox

    At this point I receive an 'User Identification Request' from Firefox, from which I select my certificate. Then I receive an error from Firefox saying:

    "... Secure Connection Failed An error occurred during a connection to ssl:3000. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature) ..."

I tried trouble shooting with curl -v -s -k -E mycert.pem:somepassword https://ssl:3000, and receive the following output:

  • About to connect() to ssl port 3000 (#0)
  • Trying XXX.XXX.XXX.XXX... connected
  • successfully set certificate verify locations:
  • CAfile: none CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Request CERT (13):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS handshake, CERT verify (15):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using AES256-SHA
  • Server certificate:
  • subject: CN=ssl; ST=Beijing; C=CN; emailAddress=root@localhost; O=Bengul Company; OU=Bedroom
  • start date: 2012-07-17 05:11:49 GMT
  • expire date: 2017-07-16 05:11:49 GMT
  • subjectAltName: ssl matched
  • issuer: CN=ssl; ST=Beijing; C=CN; emailAddress=root@localhost; O=Bengul Company; OU=Bedroom
  • SSL certificate verify result: self signed certificate (18), continuing anyway. GET / HTTP/1.1 User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 Host: ssl:3000 Accept: /

HTTP/1.1 404 Not Found

Date: Tue, 17 Jul 2012 05:22:04 GMT

Connection: keep-alive

Transfer-Encoding: chunked

Not authorised

  • Connection #0 to host ssl left intact
  • Closing connection #0
  • SSLv3, TLS alert, Client hello (1):

If I then run netstat I get this output:

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 ssl:55719 ssl:3000 TIME_WAIT

I can't work out what I am doing wrong. I would be extremely grateful if someone could point me in the right direction.

1

1 Answers

0
votes

I've recently implemented a simple proxy server in node.js that supports SSL. Maybe that can help you debug your solution. You can find the code and short instructions for generating a self-signed certificate on my Github project: https://github.com/alienhard/malinger.