我正在使用節點0.10.26並嘗試建立與客戶端驗證的https連接.
服務器代碼:
var https = require('https'); var fs = require('fs'); process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; var options = { key: fs.readFileSync('ssl/server1.key'), cert: fs.readFileSync('ssl/server1.pem'), requestCert: true, rejectUnauthorized: false, }; var server = https.createServer(options, function (req, res) { if (req.client.authorized) { res.writeHead(200, {"Content-Type":"application/json"}); res.end('{"status":"approved"}'); console.log("Approved Client ", req.client.socket.remoteAddress); } else { console.log("res.connection.authroizationError: " + res.connection.authorizationError); res.writeHead(403, {"Content-Type":"application/json"}); res.end('{"status":"denied"}'); console.log("Denied Client " , req.client.socket.remoteAddress); } }); server.on('error', function(err) { console.log("server.error: " + err); }); server.on("listening", function () { console.log("Server listeining"); }); server.listen(5678);
客戶代碼:
var https = require('https'); var fs = require('fs'); var options = { host: 'localhost', port: 5678, method: 'GET', path: '/', headers: {}, agent: false, key: fs.readFileSync('ssl/client2.key'), cert: fs.readFileSync('ssl/client2.pem'), ca: fs.readFileSync('ssl/ca.pem') }; process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; var req = https.request(options, function(res) { console.log(res.req.connection.authorizationError); }); req.on("error", function (err) { console.log('error: ' + err); }); req.end();
我已經使用以下命令創建了證書,每次提供“uname -n”作為“公用名稱”的結果:
openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -key ca.key -days 999 -out ca.pem openssl genrsa -out server1.key 1024 openssl req -new -key server1.key -out server1.csr openssl x509 -req -days 999 -in server1.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server1.pem openssl genrsa -out client1.key 1024 openssl req -new -key client1.key -out client1.csr openssl x509 -req -days 999 -in client1.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client1.pem openssl genrsa -out server2.key 1024 openssl req -new -key server2.key -out server2.csr openssl x509 -req -days 999 -in server2.csr -CA server1.pem -CAkey server1.key - set_serial 02 -out server2.pem openssl genrsa -out client2.key 1024 openssl req -new -key client2.key -out client2.csr openssl x509 -req -days 999 -in client2.csr -CA client1.pem -CAkey client1.key -set_serial 02 -out client2.pem
我已經運行客戶端和服務器,其中包含客戶端和服務器證書(即[(server1,client1),(server1,client2),(server2,client1),(server2,client2)]以及其中的每個組合服務器測試了默認值“agent”字段,“agent”設置為“false”.
每次運行client.js時,res.req.connection.authorizationError設置為DEPTH_ZERO_SELF_SIGNED_CERT.
如何在客戶端證書身份驗證的節點中建立安全連接?
我相信你有兩個問題,一個是你的代碼,一個是你的證書.
代碼問題在您的服務器中.您沒有指定CA來檢查具有您客戶端代碼中的選項屬性的客戶端證書:
ca: fs.readFileSync('ssl/ca.pem'),
第二個問題是真正導致DEPTH_ZERO_SELF_SIGNED_CERT錯誤的問題.您正在將所有證書(CA,服務器和客戶端)都提供給相同的可分辨名稱.當服務器從客戶端證書中提取頒發者信息時,會發現發行者DN與客戶端證書DN相同,並得出客戶端證書是自簽名的.
嘗試重新生成證書,給每個證書一個唯一的通用名稱(使DN也是唯一的).例如,將您的CA證書“Foo CA”命名,您的服務器證書是您的主機名稱(在這種情況下為“localhost”),您的客戶端將其名稱(例如“Foo Client 1”)命名.
http://www.voidcn.com/article/p-yejhviry-btu.html