Kousha Kousha - 3 months ago 35
Node.js Question

Socket.IO TLS requiring key/cert

I have a

CA
from an authorized server. I have set up my
HTTPS
and
WebSocket
setup as follows:

var httpsOptions = {
cert: fs.readFileSync(config.ssl.server_cert),
key: fs.readFileSync(config.ssl.server_key),
requestCert: true,
rejectUnauthorized: true,
passphrase: config.ssl.server_password
};

httpsServer.listen(config.https_port, function () {
console.info("HTTPS server running on %d", config.https_port);
});

io = io.listen(server);
io.sockets.on('connection', function (socket) {
console.log("connected: " + socket.id);
})


Now, my clients will have to sign up for an account. When they do, I want to create a private/public key for them, and sign it with the
CA
that I have. They then have to use them for any web socket connection. If these are not provided, I don't want to even allow a connection.

My client at the moment is then:

io.connect(url, {secure: true, 'force new connection': true});


But I cannot figure out how to A) pass the key to the server, and B) If this is even possible?

Answer
  • If you're talking about browsers, then the client certificate and private key has to be installed in the browser or OS certificate store (depending on which browser is being used). Once installed, the browser will automatically send the certificate.

    Unfortunately, client certificate installation is not a user-friendly process.

  • If your client is a node process, a client cert option was (finally) added in socket.io 1.3.

Don't forget to validate that the presented certificate matches a user account in your system. rejectUnauthorized only validates that the client presented a certificate issued by any trusted CA.


Do you mean you have a SSL certificate for your server? You can't sign new certificates with that. No trusted root CA gives out certs that allow third parties to sign certs without a very long process and lots of money.

You can run your own CA that signs client certificates. You have to configure your server to trust your client certificate-issuing CA (via the ca option in createServer) since it will be untrusted by default.

Comments