Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intermediate certs don't work with SNICallback #2772

Closed
fastner opened this issue Sep 9, 2015 · 8 comments
Closed

Intermediate certs don't work with SNICallback #2772

fastner opened this issue Sep 9, 2015 · 8 comments
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@fastner
Copy link

fastner commented Sep 9, 2015

If I give key, cert and ca via options field to https.createServer the whole key chain is returned on connection (correct behaviour). If I try to do the same via SNICallback it is not possible to set whole key chain.

Example code:

var https = require("https");
var fs = require("fs");
var tls = require("tls");

var o = {
    key: fs.readFileSync("example.com.key"),
    cert: fs.readFileSync("example.com.crt"),
    ca: fs.readFileSync("intermediate.crt")
};

var context = tls.createSecureContext(o);
var options = {
    SNICallback: function(servername, cb) {
        return cb(null, context);
    },

    ca: o.ca
};

https.createServer(options, function(req, res) {
    res.writeHead(200);
    res.end("hello world\n");
}).listen(8000);

Now try to connect via openssl:

openssl s_client -servername example.com -connect localhost:8000

Expected and real behaviour is Verify return code: 0 (OK).

If I remove the ca in options map like this

var options = {
    SNICallback: function(servername, cb) {
        return cb(null, context);
    }
};

and rerun openssl client the return code is Verify return code: 21 (unable to verify the first certificate)which indicates that not the whole key chain is returned.
The expected behaviour is Verify return code: 0 (OK) as the ca field is given to tls.createSecureContext.

This occures in io.js 3.x and Node.js 4.0.0.

@ChALkeR ChALkeR added the tls Issues and PRs related to the tls subsystem. label Sep 9, 2015
@gregholland
Copy link

+1 - I've just hit the same issue.

@bnoordhuis
Copy link
Member

/cc @nodejs/crypto

@alexlamsl
Copy link

Would concatenating those intermediate certificates alongside your cert instead of ca works in this case?

@indutny
Copy link
Member

indutny commented Oct 25, 2015

It should work. Working on fix.

@fastner
Copy link
Author

fastner commented Oct 25, 2015

@alexlamsl did you mean something like

var o = {
  key: fs.readFileSync("example.com.key"),
  ca: fs.readFileSync("example.com.crt") + "\n" + fs.readFileSync("intermediate.crt")
};

@alexlamsl
Copy link

@fastner I just did it on the crt file itself:

-----BEGIN CERTIFICATE----- 
 (Your Primary SSL certificate: example.com.crt) 
-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE----- 
 (Your Intermediate certificate: intermediate.crt) 
-----END CERTIFICATE----- 

And then specify only cert and no ca in the options.

indutny added a commit to indutny/io.js that referenced this issue Oct 27, 2015
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: nodejs#2772
@gregholland
Copy link

@alexlamsl Your solution to concatenate cert and intermediates works well - thanks for the solution.

indutny added a commit that referenced this issue Nov 17, 2015
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: #2772
PR-URL: #3537
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this issue Jan 28, 2016
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: #2772
PR-URL: #3537
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this issue Feb 11, 2016
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: #2772
PR-URL: #3537
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit to MylesBorins/node that referenced this issue Feb 11, 2016
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: nodejs#2772
PR-URL: nodejs#3537
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit to MylesBorins/node that referenced this issue Feb 15, 2016
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: nodejs#2772
PR-URL: nodejs#3537
Reviewed-By: Ben Noordhuis <[email protected]>
@anatolsommer
Copy link

Maybe it's a dumb question or the wrong place to ask, but is the cert: cert+'\n'+ca workaround safe to use or do I have to be afraid that this causes trouble with future node versions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

No branches or pull requests

7 participants