Document TLS server cert validation when running on NodeJS

[ImAnAutie]

Hi there,
In my application i have a Crossbar router with 3 ports running.
9000 running on localhost for a custom authenticator.
8443 running tls with a self signed certificate
8080 running plaintext.

other than port 8443 having a section for TLS configuration, it has the same settings as port 8080.

In the browser with a url of wss://192.168.1.9:8443/ws autobahnjs connects to Crossbar over tls(browser based autobahnjs also works plaintext over 8080),but even with a url of wss://192.168.1.9:8443/ws autobahnjs in node try's to get ws://192.168.1.9:8443/ws, the nodejs client will only work over the unsecured 8080.

(used node-inspector to debug)

[zhaolewen]

I guess we are having the same issue here, I'm connecting to a secure web socket connection from NodeJS, and it constantly fails to connect , with the reason being "unreachable" and the details:

{ reason: null, message: null, retry_delay: 2.679207405457416, retry_count: 2, will_retry: true }

[oberstet]

Does your node/openssl support TLS 1.2, or only TLS 1.x, SSLv3 or less? Because of crossbario/crossbar#620 ..

[zhaolewen]

I think so, because I’ve just updated my nodejs to 4.4.1, which is the latest LTS version.

Besides, I find that my problem is in fact identical to this one:
https://groups.google.com/forum/#!topic/autobahnws/OTq7qbFTrsY https://groups.google.com/forum/#!topic/autobahnws/OTq7qbFTrsY

to which you have also responded, but it’s not solved…

On Mar 30, 2016, at 14:17, Tobias Oberstein [email protected] wrote:

Does your node/openssl support TLS 1.2, or only SSLv3 or less? Because of crossbario/crossbar#620 crossbario/crossbar#620 ..

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub #190 (comment)

[npeditto]

Hi All,
I have the same problem in my NodeJS application...is there any news about this problem? THX

[diabolusss]

raw_wss_client.txt
Hi. Same here. And i am no running any websocket servers, i try to connect to trusted one: wss://ws.cex.io/ws/.
Maybe there exist some hacky solution? Or maybe it could work on some versions below 17?

npm list autobahn

/home/user/test
└── [email protected] 

npm list ws

/home/user/test
├─┬ [email protected]
     └── [email protected] 

node -pe process.versions

{ http_parser: '2.7.1',
  node: '6.11.3',
  v8: '5.1.281.107',
  uv: '1.10.2',
  zlib: '1.2.7',
  ares: '1.10.1-DEV',
  icu: '50.1.2',
  modules: '48',
  openssl: '1.0.2k-fips' }

By the way if i use only raw websockets/ws lib, then connection is successful with no warnings or errors. Maybe you can point me where to debug connection issues in autobahn project or linked modules?

[oberstet]

So for one thing, running in production, Crossbar.io can be made accepting connections only over TLS, and automatically redirect in-secure connections to the secure endpoint like this:

https://github.com/crossbario/crossbar-examples/blob/master/demos/_demo_launcher/.crossbar/config.json

---

next:

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';

this is dangerous! it will deactive the client side checking of the server certificate, and it seems to be deprecated anyways

nodejs/node#5258

---

what really needs to be done is: the client side nodejs and ws library must have the correct CA certificates to validate the server certificate presented by Crossbar.io

so actually this has nothing to do with ABJS, but all with nodejs configuration - but we might want to add some notes to our docs here in ABJS just to be helpful. TLS can be tricky to setup;)