transparent-proxy icon indicating copy to clipboard operation
transparent-proxy copied to clipboard

Published 20 hours ago verified publisher icon gr3p1p3

interceptOptions / verify upstream SSL

Open fopinappb opened this issue 1 year ago • 0 comments

Follow up on #41

I was testing this change and I was unable to get validation to work (certificate is always ignored).

I've reproduced it with a simpler script

const tls = require('tls');

const sock = new tls.TLSSocket(null, {rejectUnauthorized: true, requestCert: true});

sock.on('secureConnect', () => {
  console.log(`Successfully connected`);
  console.log(sock.authorized);
  console.log(sock.authorizationError);
})

sock.on('end', () => {
  console.log('\nClosed');
});

sock.on('error', (e) => {
  console.log(`GOT ERROR\n\n${e}`);
});

sock.on('data', (e) => {
  console.log(`GOT DATA\n\n${e}`);
});

sock.connect(9999, 'localhost', () => {
  console.log("connected\n");
  sock.write("GET / HTTP/1.0\n\n");
});

Socket always connects successfully regardless of rejectUnauthorized value.

secureConnect and tlsClientError events are never triggered which leads to think this is treated differently than the assumed.

However, switching from constructor to tls.connect seems to make it work (and reject invalid certs by default)

const tls = require('tls');

const sock = new tls.connect(9999, 'localhost', {rejectUnauthorized: true, requestCert: true}, () => {
  console.log("connected\n");
  sock.write("GET / HTTP/1.0\n\n");
});

sock.on('secureConnect', () => {
  console.log(`Successfully connected`);
  console.log(sock.authorized);
  console.log(sock.authorizationError);
})

sock.on('end', () => {
  console.log('\nClosed');
});

sock.on('error', (e) => {
  console.log(`GOT ERROR\n\n${e}`);
});

sock.on('data', (e) => {
  console.log(`GOT DATA\n\n${e}`);
});

This produces

GOT ERROR

Error: certificate has expired

And if we set reject to false, it does proceed but triggers secureConnect and authorizationError holds the error.

onnected

Successfully connected
false
CERT_HAS_EXPIRED
GOT DATA

HTTP/1.1 200 OK
X-Powered-By: Express
Set-Cookie: cookie=value; Path=/
Content-Type: text/html; charset=utf-8
Content-Length: 13
Connection: close

Hello world!


Closed

Not exactly sure why the constructor always allows invalid certificates nor triggers secureConnect...

fopinappb avatar Oct 06 '23 13:10 fopinappb