Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The ca option is not passed to node-socket instances #66

Open
captainmuppet opened this issue Apr 12, 2019 · 5 comments
Open

The ca option is not passed to node-socket instances #66

captainmuppet opened this issue Apr 12, 2019 · 5 comments

Comments

@captainmuppet
Copy link

CA certificates are not passed to the net.tls.connect() function and the socket can not be upgraded if the server uses a certificate that is not in the mozilla CA Certificate Store.

Use-case: IMAP connection using emailjs-imap-client to internal servers.

@captainmuppet captainmuppet changed the title The ca option is not passed to node-socket instances The ca option is not passed to node-socket instances Apr 12, 2019
@captainmuppet
Copy link
Author

Fixed by #67

The webpack version installed by running npm install can not be used to build the project, but [email protected] works fine.
Please consider adding a package-lock or npm-shrinkwrap file.

@felixhammerl
Copy link
Contributor

The node socket does not consume this option... Add the missing cert to your cert store intead.
https://nodejs.org/dist/latest-v11.x/docs/api/net.html#net_socket_connect_options_connectlistener

@captainmuppet
Copy link
Author

True, but tls.connect does. That's why I used it twice (constructor / upgradeToSecure).

Last entry for tls.connect options.
All properties used by tls.createSecureContext() can be passed directly to the connect method.

@felixhammerl
Copy link
Contributor

Firefox CA store does not have any influence on your systen cert store because Firefox brings its own store. Use the keychain (on macOS) or whatever your respective system uses.

@captainmuppet
Copy link
Author

captainmuppet commented Apr 18, 2019

node.js uses its own certificate store (with certificates copied from the Mozilla CA Certificate Store) by default, as mentioned on the tls page:
ca: Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla.

While installing the certificate on the OS level could* solve the problem, it's also a security risk to accept all certificates from a CA you otherwise wouldn't trust. With the ca option, you only have trust the issuer where it's needed.

* I'm not sure if node.js uses both the internal cert store and the OS provided certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants