All,
I was playing with Node's ability to do client certification verification
on https requests and this seems to work great. However, if I try to use
ws, websocket, or socket.io/socket.io client (had to hack in a mod to pass
the certificates in the client) and enable "rejectUnauthorized: true" -
none of them can establish a websocket connection. The websocket modules
all fail with either a "socket hung up" and/or a "ECONNRESET". With Chrome
and the certs loaded - I can get a response from the https engine just
fine. Below is my samples from my ws test bed:
-node v0.8.9
-Windows 7 x64
-native extensions complied successfully
server.js
> var https = require('https')
>
> , WebSocketServer = require('ws').Server
>
> , fs = require('fs')
>
>
>> var options = {
>
> passphrase: 'password',
>
> key: fs.readFileSync('ssl/server-key.pem'),
>
> cert: fs.readFileSync('ssl/server-cert.pem'),
>
> ca: [fs.readFileSync('ssl/ca1-cert.pem')],
>
> requestCert: true,
>
> rejectUnauthorized: true
>
> };
>
> options.agent = new https.Agent(options);
>
>
>> var app = https.createServer(options, ServerAuthHandler);
>
> app.listen(443);
>
>
>> var wss = new WebSocketServer({server: app});
>
> wss.on('connection', function(ws) {
>
> var id = setInterval(function() {
>
> ws.send(JSON.stringify(process.memoryUsage()), function() { /*
>> ignore errors */ });
>
> }, 100);
>
> console.log('started client interval');
>
>
>> ws.on('close', function() {
>
> console.log('stopping client interval');
>
> clearInterval(id);
>
> });
>
>
>> ws.on('message', function(message) {
>
> console.log('received: %s', message);
>
> });
>
> });
>
>
>>
>> /////////////
>
> //Handler functions
>
> /////////////
>
> function ServerAuthHandler (req, res) {
>
> if (req.client.authorized) {
>
> res.writeHead(200, {"Content-Type": "application/json"});
>
> res.end('{"status":"approved"}');
>
> console.log('client was authorized!');
>
> } else {
>
> res.writeHead(401, {"Content-Type": "application/json"});
>
> console.log('request denied',req);
>
> res.end('{"status":"denied"}');
>
> }
>
> }
>
>
client.js
>
var WebSocket = require('ws')
, fs = require('fs');
> var options = {
passphrase: 'password'
, key: fs.readFileSync("ssl/agent1-key.pem")
, cert: fs.readFileSync("ssl/agent1-cert.pem")
//, ca: [fs.readFileSync("ssl/ca1-cert.pem")]
};
> var ws = new WebSocket('https://localhost',options);
> ws.on('open', function() {
ws.send('something');
});
> ws.on('message', function(data, flags) {
// flags.binary will be set if a binary data is received
// flags.masked will be set if the data was masked
console.log(data);
});
error output from client.js
> "C:\Program Files\nodejs\node.exe" --debug-brk=10610 client.js
>
> debugger listening on port 10610
>
>
>> events.js:66
>
> throw arguments[1]; // Unhandled 'error' event
>
> ^
>
> Error: socket hang up
>
> at SecurePair.error (tls.js:917:15)
>
> at EncryptedStream.CryptoStream._done (tls.js:395:17)
>
> at EncryptedStream.CryptoStream._pull (tls.js:546:12)
>
> at SecurePair.cycle (tls.js:835:20)
>
> at EncryptedStream.CryptoStream.end (tls.js:368:13)
>
> at Socket.onend (stream.js:66:10)
>
> at Socket.EventEmitter.emit (events.js:115:20)
>
> at TCP.onread (net.js:417:51)
>
>
>> Process finished with exit code 1
>
>
>
Some debugging seems to point to a possible issue inside of TLS.js where
the SSL mod is throwing a "SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate" - but I'm not sure if this is a node issue or
just a matter of handing the https upgrade request properly inside of the
websocket engines? Also - I noticed that secureEstablished is set to false
when the above error is thrown.
Finally - setting rejectUnathorized:false allows this and the other samples
to work fine - however - I want to ensure client certificate authentication
throughout so this isnt really an option for my testing.
Any ideas?
Thanks,
Manny
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
