WebSocket-Node icon indicating copy to clipboard operation
WebSocket-Node copied to clipboard
verified publisher icon theturtle32

Secure Socket Client Connection Error "self signed certificate in certificate chain"

Open MasterJames opened this issue 9 years ago • 10 comments

I suppose if you take the given example but at the end of the client code you put wss instead of ws the error is reported when trying to connect from another nodejs server as a client.

Connect Error: self signed certificate in certificate chain

I have indeed for now properly working self signed certificates and a Certificate Authority CA that is self signed. I've also tried adding to npm the cafile key and filename, (in "config" and out). https://docs.npmjs.com/misc/config#cafile [note: it's just for the registry, and unrelated]

so secure connections are rejected if self signed, and there doesn't seem to be anything I can do about it?! What am I missing or is this a feature request other then the bug it's feeling like. It's hard to believe no one noticed and fixed this before, so I figure I need a help sorting out the issue, thanks. I guess the question is is there somewhere I put my CA.cert for accepting self signed certificates?

I'm seeing https://github.com/theturtle32/WebSocket-Node/blob/master/lib/WebSocketClient.js#L115

WebSocketClient.prototype.connect = function(requestUrl, protocols, origin, headers, extraRequestOptions) {

for the first time digging into the code (so maybe I missed some docs too?). something in the tlsOptions maybe?

I've also looked further into nodejs createServer options, but it's really the client that you'd think needs to know about my CertAuth. https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener

MasterJames avatar Oct 09 '16 09:10 MasterJames

Found the docs... https://github.com/theturtle32/WebSocket-Node/blob/master/docs/WebSocketClient.md Looking more like a req issue though? https://github.com/theturtle32/WebSocket-Node/blob/master/docs/WebSocketRequest.md

Server Config Options? https://github.com/theturtle32/WebSocket-Node/blob/master/docs/WebSocketServer.md#server-config-options

Is this them? I'm not finding any clear reference to be able to add my CA there... currently.

MasterJames avatar Oct 09 '16 11:10 MasterJames

Maybe if you could point me to a nodejs server to nodejs client with ssl/tls/wss enabled example that would show the way, thanks.

MasterJames avatar Oct 10 '16 09:10 MasterJames

Found the way. It is the tlsOptions

in server.conf = {...}

options: {
    tlsOptions: {
        ca: wup.lib.fs.readFileSync( 'ca-crt.pem' ),
        checkServerIdentity: function ( host, cert ) {
            if ( host != cert.subject.CN ) return "checkServerIdentity: mismatched:" + host;
        }
    }

checkServerIdentity is required and returns an error string if one, and so returns undefined if okay.

Then you include that options object in your client call. The examples here BTW are the strangest I've ever seen. Mine looks more like this basically. let conn = new libs.websocket.client(server.conf.opts); than the, odd but similar, suggested way.

var WebSocketClient = require('websocket').client;
var client = new WebSocketClient(server.conf.opts);

[But my way my IDE says the lower case constructor looks suspiciously wrong. The expected convention is with a capital. I guess I'm saying the 'client' constructor function should be Client. It says typo or conceptual error.]

references: https://github.com/theturtle32/WebSocket-Node/blob/master/docs/WebSocketClient.md#client-config-options who's tlsOptions description links to https://nodejs.org/api/https.html#https_https_request_options_callback

This seems to be only working one way!? and so therefore seems maybe a signing issue as well.

MasterJames avatar Oct 12 '16 07:10 MasterJames

I'm still having serious problems with this "self signed certificate in certificate chain" error when connecting wss secure websocket connections.

MasterJames avatar Oct 13 '16 01:10 MasterJames

Using this ref http://serverfault.com/questions/589590/understanding-the-output-of-openssl-s-client I was able to figure that in fact the CA was not loading. Further investigation showed the data was set but when connected to the next node in a forEach function loop it was missing in subsequent usages? I'm still struggling against whatever is doing that and the "why?" about it. As it's totally inefficient to reload the CA from file etc. every time a connection is established.

At this point I figure your "client" constructor is damaging the tlsOptions argument passed to it, but shouldn't be.

I've had to use Buffer.from() so I don't have to fs.readFileSync('ca-crt.pem') for every connection. It's ugly and bad, and super strange (aka not normal expected behavior = confusing/bad). [Basically wasted about a week.]

MasterJames avatar Oct 13 '16 08:10 MasterJames

I should not have closed this personally. Yes I've got it working but there's a serious overwrite (tlsOptions deletion) oversight for whomever responsible here to fix and/or close this issue.

MasterJames avatar Oct 14 '16 08:10 MasterJames

Maybe that is what you looking for ? let client = new WebSocketClient({tlsOptions: {rejectUnauthorized: false}});

Smirow avatar Apr 16 '17 07:04 Smirow

works fine for me

const conn = new WebSocketClient(
        wsURL,
        ['Bearer', 'xxx'],
        undefined,
        undefined,
        { agent: new https.Agent({rejectUnauthorized: false}) },
     );

HobaiRiku avatar Dec 03 '18 09:12 HobaiRiku

hi, to turn off the certificate authentication is not really an option. For me, the problem is not solved yet. There is already a solution to the problem. thank you in advance

i use the Version 1.0.28

spaci76 avatar Jun 18 '19 10:06 spaci76

For testing purposes (Node.js), I was able to use the following in the client script while using self-signed certificate approach: process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

pawr avatar Sep 23 '20 18:09 pawr