EDITED
I am trying to get SSL working on an app, but I just can't get it to work. I am having problems troubleshooting the problem.
I have created a basic app to test it:
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('./ssl/server_key.pem'),
cert: fs.readFileSync('./ssl/server_crt.pem'),
passphrase: 'mypassphrase',
ca: fs.readFileSync('./ssl/cacert.pem'),
requestCert: true,
rejectUnauthorized: false
};
https.createServer(options, function (req, res) {
console.log('req.client.authorized: %s', req.client.authorized);
if (req.client.authorized) {
res.writeHead(200);
res.end("hello world\n");
}
else {
res.writeHead(404);
res.end("Not authorised\n");
}
}).listen(3000);
console.log('Server started...');
I have created the certificates using Ubuntu Documentation on OpenSSL. The process I used was:
Create Certificate Authority Root Certificate and Key
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
which generates: the CA public certificate 'cacert.pem'; and CA private key 'cakey.pem'
Create Self-Signed Server Certificate
export OPENSSL_CONF=~/myCA/exampleserver.cnf
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
mv tempkey.pem server_key.pem
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl ca -in tempreq.pem -out server_crt.pem
which generates: Server application certificate file 'server_crt.pem'; and Server application key file 'server_key.pem'.
Create PKCS#12 certificate from server's Root CA X.509 certificate for client use
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for MySite"
Which results in the file 'mycert.pfx'.
Copy files to app's ssl directory
I copy the files 'cacert.pem', 'server_key.pem', and 'server_crt.pem' to the ssl directory of the app.
Import file 'mycert.pfx' into Firefox via Firefox's built-in Certificate Manager (I import it into the tab marked 'Your Certificates').
Enter URL (
https://ssl:3000
) into FirefoxAt this point I receive an 'User Identification Request' from Firefox, from which I select my certificate. Then I receive an error from Firefox saying:
"... Secure Connection Failed An error occurred during a connection to ssl:3000. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature) ..."
I tried trouble shooting with curl -v -s -k -E mycert.pem:somepassword https://ssl:3000
, and receive the following output:
- About to connect() to ssl port 3000 (#0)
- Trying XXX.XXX.XXX.XXX... connected
- successfully set certificate verify locations:
- CAfile: none CApath: /etc/ssl/certs
- SSLv3, TLS handshake, Client hello (1):
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Request CERT (13):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS handshake, CERT verify (15):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using AES256-SHA
- Server certificate:
- subject: CN=ssl; ST=Beijing; C=CN; emailAddress=root@localhost; O=Bengul Company; OU=Bedroom
- start date: 2012-07-17 05:11:49 GMT
- expire date: 2017-07-16 05:11:49 GMT
- subjectAltName: ssl matched
- issuer: CN=ssl; ST=Beijing; C=CN; emailAddress=root@localhost; O=Bengul Company; OU=Bedroom
- SSL certificate verify result: self signed certificate (18), continuing anyway. GET / HTTP/1.1 User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 Host: ssl:3000 Accept: /
HTTP/1.1 404 Not Found
Date: Tue, 17 Jul 2012 05:22:04 GMT
Connection: keep-alive
Transfer-Encoding: chunked
Not authorised
- Connection #0 to host ssl left intact
- Closing connection #0
- SSLv3, TLS alert, Client hello (1):
If I then run netstat
I get this output:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ssl:55719 ssl:3000 TIME_WAIT
I can't work out what I am doing wrong. I would be extremely grateful if someone could point me in the right direction.