Self signed SSL does not work after upgrading from iojs to nodejs v4.4.4

Question

I was using iojs and koa in my application and recently I decided to update iojs to nodejs v4.4.4. The update was very smooth and my application was running in no time. The problem is that I am using a self signed SSL certificate on my development machine, and after I updated to nodejs I receive the following message when I try to access the website:

This site can’t provide a secure connection

localhost uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.

I am using nvm so I tried switching to iojs and the website was working again.

After some reading I found out that I have to update the openssl to version 1.0.2g instead of the 1.0.1g that I used to create the .key and .crt files. So I updated openssl and generated new key and certificate files like this:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Sadly this did not resolve the issue.

This is the code that I use to setup the https on the server:

let sslOptions = {
            key: fs.readFileSync('/etc/apache2/ssl/apache.key'),
            cert: fs.readFileSync('/etc/apache2/ssl/apache.crt')
                 };

let server = require('https').createServer(sslOptions, app.callback())

Am I doing something wrong? Why does it work with iojs and does not work with nodejs?

Answer 1

Judging by the error message there is nothing wrong with the self signed certificate. But the 'server' offering the ssl connection doesn't support a suitable combination of protocol version an cipher suite.

openssl s_client -connect localhost:443

or more verbose

openssl s_client -connect localhost:443 -debug

might tell you what's going wrong during the ssl handshake.

You can also find out what combinations are provided with a tool called sslscan

apt-get install sslscan
sslscan localhost:443
sslscan localhost:443 | grep Accepted

In the end you'll want to configure the ciphersuites your https server offers by providing more ssloptions.

See here https://certsimple.com/blog/a-plus-node-js-ssl

Answer 2

There will be a truststore (keystore) file, where all trusted certificates need to be registered. You will have to register this newly created certificate there. Client uses that truststore file to check whether a certificate can be trusted or not.

For more details you can take reference from below link :-

Creating Self Signed Certificates (openssl & keytool)

I hope it helps.