So, I was having an issue earlier today where my client, written in node
, was barfing because the server I was connecting to used self signed certs. So, I went and added the option rejectUnauthorized: false
to my tls.connect
command like any unwitting developer would do.
My question is now, what the hell does this mean for me? Is my TLS connection just a vanilla TCP connection that can also possibly be a TLS connection? Is writing this as a TLS stream totally useless?
More importantly, that server, you know the one with the self-signed certs? Is my stream between here and there actually encrypted?
rejectUnauthorized. The easiest solution to resolve these errors is to use the “rejectUnauthorized” option shown below. However, this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack.
env. NODE_EXTRA_CA_CERTS . process stores information about the node process running. env stores all the environment variables (that get populated by dotenv-webpack ).
As described in the documentation:
rejectUnauthorized
: If true
, the server certificate is verified against the list of supplied CAs. An error
event is emitted if verification fails; err.code
contains the OpenSSL error code. Default: true
.Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.
By setting rejectUnauthorized: false
, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.
A better solution for self-signed certificates is to set the appropriate ca
value to your custom CA when connecting client-side. Also, make sure your host
value matches that of the Common Name of the server's self-signed certificate. For example:
var socket = tls.connect({
host: 'MyTLSServer',
port: 1337,
ca: [ fs.readFileSync('CA.pem') ],
}, function() {
// Connected!
});
// ...
No matter if you use rejectUnauthorized: false
or set ca
, the connection is encrypted.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With