LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Node JS -- Public SSL Certs (https://www.linuxquestions.org/questions/programming-9/node-js-public-ssl-certs-4175526103/)

gothrog 11-21-2014 12:09 PM
Node JS -- Public SSL Certs
 
Hi All,

I'm a n00b when it comes to public SSL CA certs and coding node.js to be an SSL/TLS.

I have followed the instructions on this site:
http://nodejs.org/api/tls.html

I am using the following options to invoke a listener. I followed the instructions and concatenated the network solution certs together. I'm not sure what is right or wrong, but the public cert is not working.
Code:
cat FILES_CERTS < All_AddTrust_DV_2_CA.crt
Code:
var secure_options = {
  key: secure_fs.readFileSync('PATH/sample.whataremindsfor.com.key', 'utf8'),
  cert: secure_fs.readFileSync('PATH/SAMPLE.WHATAREMINDSFOR.COM.crt', 'utf8'),
  ca: secure_fs.readFileSync('PATH/All_AddTrust_DV_2_CA.crt', 'utf8')
};
I can start the node instance without an error and have been able to add some debug in for the security. I opened up a 2nd terminal to run a test. The output from the node server and input for a client call is below.

Server Output:
Code:
[2014-11-21 10:18:34.073] [INFO] console - server connected 'unauthorized'
[2014-11-21 10:20:05.018] [INFO] console - server connected 'unauthorized'

Client Request:
Code:
openssl s_client -connect 127.0.0.1:46900
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN = sample.whataremindsfor.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN = sample.whataremindsfor.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN = sample.whataremindsfor.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=nsProtect Secure Xpress/CN=sample.whataremindsfor.com
  i:/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions DV Server CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQZKH2LzShxkMU//ZbvGTeKDANBgkqhkiG9w0BAQsFADB6
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xITAf
BgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEpMCcGA1UEAxMgTmV0d29y
ayBTb2x1dGlvbnMgRFYgU2VydmVyIENBIDIwHhcNMTQxMTE4MDAwMDAwWhcNMTUx
MTE4MjM1OTU5WjBqMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQx
IDAeBgNVBAsTF25zUHJvdGVjdCBTZWN1cmUgWHByZXNzMSMwIQYDVQQDExpzYW1w
bGUud2hhdGFyZW1pbmRzZm9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMml21naQ4VeSJTgO986uAxT65PGDsiR0Di7khtCSZBYbsIcxbI8K33B
VE6cEOb8rZXDzACG5XEBDkBAE1N/WEzfsFMEDRfDWMQkKDqgK5/GDetUHB6UFfDF
jhXVHItDo2yUHrVtDYa9uTLfQ78jp+fARwZ+VVu8kXEI7CojXC9hHTNyiHpwt1rF
Z5+pKMq8WCc1gQoBU6LFlFa4DTTKrpqSBhlJOHLe3GNj/TjMjxayTRilxh0EVx/M
Y+SBpkQYM7bbD++Ob9QXgANK7QwfGKj8HrLQCFVF8heSQVmRJKLRiyd+BDYj5i4N
JcrUbSoQMcfDoWSyXEIACMlznTwfFvkCAwEAAaOCAgcwggIDMB8GA1UdIwQYMBaA
FFHO31QdtyxXq2hhSAIa07KF7ECqMB0GA1UdDgQWBBSRr6nTyTFe3OIcMiKOkFV8
VlEbIDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0gBG4wbDBgBgwrBgEEAYYOAQIBCQEwUDBO
BggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdh
bC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMAgGBmeBDAECATBJBgNVHR8E
QjBAMD6gPKA6hjhodHRwOi8vY3JsLm5ldHNvbHNzbC5jb20vTmV0d29ya1NvbHV0
aW9uc0RWU2VydmVyQ0EyLmNybDB7BggrBgEFBQcBAQRvMG0wRAYIKwYBBQUHMAKG
OGh0dHA6Ly9jcnQubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zRFZTZXJ2
ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5uZXRzb2xzc2wuY29t
MEUGA1UdEQQ+MDyCGnNhbXBsZS53aGF0YXJlbWluZHNmb3IuY29tgh53d3cuc2Ft
cGxlLndoYXRhcmVtaW5kc2Zvci5jb20wDQYJKoZIhvcNAQELBQADggEBAExoI6yX
b0Dv4mlWrJ0pTpp3CQvu0zp8V1mWrXYtxB5DUss6VRf6r7fiL15Skb+uayILgFwx
egs63fb/KuX2LT8xIQyMGNZ429DSzoA2I4lJjYpShb3FS0wcrt0uWxbyByZM1Yt0
SN3ARpePSZupIaplcfcemNSdgSXSGFhmlrihiq+z/oW5k5/jZZ6TDt1bJwZ2Bxww
SIox9MdGV/92QrpjjXcnKsJ4gL5nSA9C4YRUN4pih7buffq+DFRnvEo6kBJctGeO
4qNdRkz+V+Rmev/JbbxEMtRWf/HCBginxbyG1fJaccMXzqrS6lf4X89DD6x6YUgd
ZDEirYzqLRoDtvY=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=nsProtect Secure Xpress/CN=sample.whataremindsfor.com
issuer=/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions DV Server CA 2
---
No client certificate CA names sent
---
SSL handshake has read 1711 bytes and written 581 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 6328E390DEBF3DBF9377410DDA07D2F6795E32E0EE4E1FDC9D9C1539CD7AE212
    Session-ID-ctx:
    Master-Key: 16DE4CDDA2167BD8157406E3D95062DF37EE69409961E6A8F549EA0D16939800C9A402ECE052BC2907C57591EA3FC17E
    Key-Arg  : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8d e3 93 fb dd 5d d5 d1-5a 88 14 72 5d 70 6e f1  .....]..Z..r]pn.
    0010 - 25 c3 4c af 6e 51 66 af-fb b4 08 09 47 2c bd 4d  %.L.nQf.....G,.M
    0020 - 7c 79 71 66 35 bb b9 30-ff 29 61 41 12 46 bb e6  |yqf5..0.)aA.F..
    0030 - d4 ea d9 86 b3 59 75 dc-ad 2c 27 19 87 33 97 e4  .....Yu..,'..3..
    0040 - bc 9c 1d 0b 02 96 1f 96-1b ef 4c d7 ab f6 32 b2  ..........L...2.
    0050 - cc 1e fc 85 28 70 c1 bd-2f 94 aa df 9e 80 e3 6e  ....(p../......n
    0060 - 52 9d 89 5e ac 52 df 8e-16 8a 25 33 37 56 1f e0  R..^.R....%37V..
    0070 - cc 24 c9 f2 e9 69 5d 14-15 56 22 c2 ae c4 8b 1f  .$...i]..V".....
    0080 - 09 4e 1c 1a 43 c1 27 38-35 77 21 db 8e d2 b4 26  .N..C.'85w!....&
    0090 - d3 1e f0 bd f8 42 58 6e-7b b3 0f ef 55 58 1d 6c  .....BXn{...UX.l

    Start Time: 1416583205
    Timeout  : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
welcome!

gothrog 11-22-2014 05:40 PM
Ok. I figured it out.
There are a few things wrong with the instructions from everyone that I have seen give out node examples for public CA-signed certs.

Again this is for NetworkSolutions as a CA provider. This is as a server CA and NOT a client CA. There is no dual-CA authentication, only the single side from the server.

The notes for adding the CA public certs are confusing, because the CA is not the CA attribute in the options. It is the cert attribute.

Symptoms for this are no matter what you do the same error appears and you can authenticate it if you use your creds as a part of the call
Code:
openssl s_client -CAfile 4_CRTs_Sample_DVServ_DVUser_AddT.crt  -connect sample.whataremindsfor.com:56900


Step 1: If you have several crts cat them all together using your full-qualified domain first.
Code:
cat SAMPLE.WHATAREMINDSFOR.COM.crt DV_NetworkSolutionsDVServerCA2.crt DV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > 4_CRTs_Sample_DVServ_DVUser_AddT.crt
Step 2: Ensure that after you cat the files together the beginning and end tags are on a different line
NO:
Code:
-----BEGIN CERTIFICATE----------END CERTIFICATE-----
YES:
Code:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Step 3: Don't use the 'ca' attribute for server side CA. Only use the 'cert' attribute.
Code:
var secure_options = {
  key: secure_fs.readFileSync('PATH/sample.whataremindsfor.com.key', 'utf8'),
  cert: secure_fs.readFileSync('PATH/4_CRTs_Sample_DVServ_DVUser_AddT.crt', 'utf8'),
};

hlopezvg 06-26-2015 09:00 AM
I apologize if I don't have anything else to add, just wanted to say, Thanks it worked perfectly for me.


All times are GMT -5. The time now is 06:23 PM.