我正在使用节点0.10.26并尝试建立与客户端验证的https连接.
服务器代码:
var https = require('https');
var fs = require('fs'); process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; var options = { key: fs.readFileSync('ssl/server1.key'), cert: fs.readFileSync('ssl/server1.pem'), requestCert: true, rejectUnauthorized: false, }; var server = https.createServer(options, function (req, res) { if (req.client.authorized) { res.writeHead(200, {"Content-Type":"application/json"}); res.end('{"status":"approved"}'); console.log("Approved Client ", req.client.socket.remoteAddress); } else { console.log("res.connection.authroizationError: " + res.connection.authorizationError); res.writeHead(403, {"Content-Type":"application/json"}); res.end('{"status":"denied"}'); console.log("Denied Client " , req.client.socket.remoteAddress); } }); server.on('error', function(err) { console.log("server.error: " + err); }); server.on("listening", function () { console.log("Server listeining"); }); server.listen(5678);
客户代码:
var https = require('https');
var fs = require('fs'); var options = { host: 'localhost', port: 5678, method: 'GET', path: '/', headers: {}, agent: false, key: fs.readFileSync('ssl/client2.key'), cert: fs.readFileSync('ssl/client2.pem'), ca: fs.readFileSync('ssl/ca.pem') }; process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; var req = https.request(options, function(res) { console.log(res.req.connection.authorizationError); }); req.on("error", function (err) { console.log('error: ' + err); }); req.end();
我已经使用以下命令创建了证书,每次提供“uname -n”作为“公用名称”的结果:
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -days 999 -out ca.pem
openssl genrsa -out server1.key 1024 openssl req -new -key server1.key -out server1.csr openssl x509 -req -days 999 -in server1.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server1.pem openssl genrsa -out client1.key 1024 openssl req -new -key client1.key -out client1.csr openssl x509 -req -days 999 -in client1.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client1.pem openssl genrsa -out server2.key 1024 openssl req -new -key server2.key -out server2.csr openssl x509 -req -days 999 -in server2.csr -CA server1.pem -CAkey server1.key - set_serial 02 -out server2.pem openssl genrsa -out client2.key 1024 openssl req -new -key client2.key -out client2.csr openssl x509 -req -days 999 -in client2.csr -CA client1.pem -CAkey client1.key -set_serial 02 -out client2.pem
我已经运行客户端和服务器,其中包含客户端和服务器证书(即[(server1,client1),(server1,client2),(server2,client1),(server2,client2)]以及其中的每个组合服务器测试了默认值“agent”字段,“agent”设置为“false”.
每次运行client.js时,res.req.connection.authorizationError设置为DEPTH_ZERO_SELF_SIGNED_CERT.
如何在客户端证书身份验证的节点中建立安全连接?
我相信你有两个问题,一个是你的代码,一个是你的证书.
代码问题在您的服务器中.您没有指定CA来检查具有您客户端代码中的选项属性的客户端证书:
ca: fs.readFileSync('ssl/ca.pem'),
第二个问题是真正导致DEPTH_ZERO_SELF_SIGNED_CERT错误的问题.您正在将所有证书(CA,服务器和客户端)都提供给相同的可分辨名称.当服务器从客户端证书中提取颁发者信息时,会发现发行者DN与客户端证书DN相同,并得出客户端证书是自签名的.
尝试重新生成证书,给每个证书一个唯一的通用名称(使DN也是唯一的).例如,将您的CA证书“Foo CA”命名,您的服务器证书是您的主机名称(在这种情况下为“localhost”),您的客户端将其名称(例如“Foo Client 1”)命名.
http://www.voidcn.com/article/p-yejhviry-btu.html