英文:
CLient authentication does not work properly (with certificate)
问题
I want to check (dynamically via config file) a client certificate, but this does not work properly.
If I don't have a certificate I can still access the site sometimes.
this is my code
Server:
const { createServer } = require("https")
// config.ssl.client_crt = true or false
createServer({
cert: readFileSync(config.ssl.crt_file),
key: readFileSync(config.ssl.key_file),
requestCert: config.ssl.client_crt,
rejectUnauthorized: false,
ca: readFileSync(config.ssl.ca_file),
},app).listen(config.port)
app.get("/", (req, res) => {
authenticator.req_check(req, config.ssl.client_crt, function(ok) {
if (! ok) {
return res.send("nope")
}
return res.send("ok")
})
});
authenticator:
module.exports = {
req_check(req, client_crt, cb) {
if (client_crt && req.client.authorized == false) { // <-- Pay attention!
return cb(false)
} else {
return cb(true)
}
}
}
This works, but when I write it this way the value of req.client.authorized is sometimes ignored
if (client_crt && ! req.client.authorized) {
return cb(false)
}
in my opinion it is the same, or am i wrong?
of course i don't want anyone to access the site without a certificate, so i need your help to make the check absolutely reliable
英文:
I want to check (dynamically via config file) a client certificate, but this does not work properly.
If I don't have a certificate I can still access the site sometimes.
this is my code
Server:
const { createServer } = require("https")
// config.ssl.client_crt = true or false
createServer({
cert: readFileSync(config.ssl.crt_file),
key: readFileSync(config.ssl.key_file),
requestCert: config.ssl.client_crt,
rejectUnauthorized: false,
ca: readFileSync(config.ssl.ca_file),
},app).listen(config.port)
app.get("/", (req, res) => {
authenticator.req_check(req, config.ssl.client_crt, function(ok) {
if (! ok) {
return res.send("nope")
}
return res.send("ok")
})
});
authenticator:
module.exports = {
req_check(req, client_crt, cb) {
if (client_crt && req.client.authorized == false) { // <-- Pay attention!
return cb(false)
} else {
return cb(true)
}
}
}
This works, but when I write it this way the value of req.client.authorized is sometimes ignored
if (client_crt && ! req.client.authorized) {
return cb(false)
}
in my opinion it is the same, or am i wrong?
of course i don't want anyone to access the site without a certificate, so i need your help to make the check absolutely reliable
答案1
得分: 0
如果要强制执行客户端证书授权,必须设置rejectUnauthorized: true。
此外,在建立HTTPS连接之前,甚至在第一个HTTPS请求发送到该连接之前,应该已经检查了证书:
var server = https.createServer({
cert: readFileSync(config.ssl.crt_file),
key: readFileSync(config.ssl.key_file),
requestCert: config.ssl.client_crt,
rejectUnauthorized: true,
ca: readFileSync(config.ssl.ca_file),
}, app)
.listen(config.port, function() {
server.on("secureConnection", function(socket) {
var now = new Date().getTime();
var cert = socket.getPeerCertificate();
if (!socket.authorized ||
now < new Date(cert.valid_from).getTime() ||
now > new Date(cert.valid_to).getTime())
socket.end();
});
});
英文:
If you want authorization by client certificate to be enforced, you must set rejectUnauthorized: true.
Also, certificates should be checked already when an HTTPS connection is set up, even before the first HTTPS request goes over that connection:
var server = https.createServer({
cert: readFileSync(config.ssl.crt_file),
key: readFileSync(config.ssl.key_file),
requestCert: config.ssl.client_crt,
rejectUnauthorized: true,
ca: readFileSync(config.ssl.ca_file),
}, app)
.listen(config.port, function() {
server.on("secureConnection", function(socket) {
var now = new Date().getTime();
var cert = socket.getPeerCertificate();
if (!socket.authorized ||
now < new Date(cert.valid_from).getTime() ||
now > new Date(cert.valid_to).getTime())
socket.end();
});
});
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论