I had a project that forced me to look into this today, and I discovered the issue. For anyone interested, here's why this fails and how to solve it:
If you set rejectUnauthorized to false and look at the authorization error on the server side, you'll see that there was an error accepting the certificate. The error is INVALID_PURPOSE. This is because NodeJS checks the extension field "extendedKeyUsage" on a certificate for the client key. extendedKeyUsage simply determines how a key may be used. I'm unsure if it's checked in OpenSSL or NodeJS, but specifically for the client, "clientAuth" must be set on this field for the connection to be accepted. In your cert, this will be labeled as "TSL Web Client Authentication" if set on the certificate. As far as I can tell, if you have your own CA, you can set this field in the configuration under the group local_ca_extensions for it to be added automatically to any certificates you sign with your own CA: [ local_ca_extensions ] extendedKeyUsage = clientAuth An equivalent parameter should exist for a self-signed certificate or for signing requests, but I haven't looked into that. Manny: It's very possible that you did something in Faye to remove this check or skip the rejectUnauthorized parameter, which would then allow you to connect without this parameter set in the certificate, and possibly with an authorization error in the connection. I haven't seen the pull request, so I can't verify that, but take care and look closely at your authorization status in the tls connection. Den torsdagen den 27:e september 2012 kl. 17:08:37 UTC+2 skrev Manny Figudore: > > I was going to get you a pull request last night but it was late. Work > will have me busy until this afternoon but I will try to get you a pull > tonight. > > On Thursday, September 27, 2012 1:57:15 AM UTC-4, James Coglan wrote: >> >> On 27 September 2012 04:28, Manny Figudore <[email protected]> wrote: >> >>> So after much debugging, giving up, then trying with the Faye package >>> for node - I have a working example. I had to mod Faye to get tls.connect >>> the certs but it does work with rejectUnauthorized:true. >> >> >> I maintain Faye, can you show me what you did? Our mailing list is >> http://groups.google.com/group/faye-users >> > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
