Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

TLS what exactly does 'rejectUnauthorized' mean for me?

Tags:

node.js

ssl

So, I was having an issue earlier today where my client, written in node, was barfing because the server I was connecting to used self signed certs. So, I went and added the option rejectUnauthorized: false to my tls.connect command like any unwitting developer would do.

My question is now, what the hell does this mean for me? Is my TLS connection just a vanilla TCP connection that can also possibly be a TLS connection? Is writing this as a TLS stream totally useless?

More importantly, that server, you know the one with the self-signed certs? Is my stream between here and there actually encrypted?

like image 903
Breedly Avatar asked Aug 06 '15 16:08

Breedly


People also ask

What does rejectUnauthorized do?

rejectUnauthorized. The easiest solution to resolve these errors is to use the “rejectUnauthorized” option shown below. However, this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack.

What is Node_extra_ca_certs?

env. NODE_EXTRA_CA_CERTS . process stores information about the node process running. env stores all the environment variables (that get populated by dotenv-webpack ).


1 Answers

As described in the documentation:

  • rejectUnauthorized: If true, the server certificate is verified against the list of supplied CAs. An error event is emitted if verification fails; err.code contains the OpenSSL error code. Default: true.

Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.

By setting rejectUnauthorized: false, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.

A better solution for self-signed certificates is to set the appropriate ca value to your custom CA when connecting client-side. Also, make sure your host value matches that of the Common Name of the server's self-signed certificate. For example:

var socket = tls.connect({
  host: 'MyTLSServer',
  port: 1337,
  ca: [ fs.readFileSync('CA.pem') ],
}, function() {
  // Connected!
});

// ...

No matter if you use rejectUnauthorized: false or set ca, the connection is encrypted.

like image 193
mscdex Avatar answered Oct 06 '22 20:10

mscdex