TLS what exactly does 'rejectUnauthorized' mean for me? - McMap

About

TLS what exactly does 'rejectUnauthorized' mean for me?

Asked 6/8, 2015 at 16:28 Answered 6/8, 2015 at 17:34

Solved node.js ssl

W

1

63

So, I was having an issue earlier today where my client, written in node, was barfing because the server I was connecting to used self signed certs. So, I went and added the option rejectUnauthorized: false to my tls.connect command like any unwitting developer would do.

My question is now, what the hell does this mean for me? Is my TLS connection just a vanilla TCP connection that can also possibly be a TLS connection? Is writing this as a TLS stream totally useless?

More importantly, that server, you know the one with the self-signed certs? Is my stream between here and there actually encrypted?

Whither answered 6/8, 2015 at 16:28 Comment(0)

L

89

As described in the documentation:

rejectUnauthorized: If true, the server certificate is verified against the list of supplied CAs. An error event is emitted if verification fails; err.code contains the OpenSSL error code. Default: true.

Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.

By setting rejectUnauthorized: false, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.

A better solution for self-signed certificates is to set the appropriate ca value to your custom CA when connecting client-side. Also, make sure your host value matches that of the Common Name of the server's self-signed certificate. For example:

var socket = tls.connect({
  host: 'MyTLSServer',
  port: 1337,
  ca: [ fs.readFileSync('CA.pem') ],
}, function() {
  // Connected!
});

// ...

No matter if you use rejectUnauthorized: false or set ca, the connection is encrypted.

Latex answered 6/8, 2015 at 17:34 Comment(3)

Node was throwing the error: 'SELF SIGNED CERT IN CHAIN'. Is there a better way to get around that for self signeds? Could the host/CN be an IP address? – Whither 6/8, 2015 at 18:35

I handled it using 'NODE_TLS_REJECT_UNAUTHORIZED=0' flag. It is not the correct way to do it but workd for developemnt enviroment – Isocracy 22/5, 2020 at 18:9

The better way and the correct way was included in the answer. It is the line that starts with ca: – Susurrous 11/7, 2023 at 1:52

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.