-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intermediate certs don't work with SNICallback #2772
Comments
+1 - I've just hit the same issue. |
/cc @nodejs/crypto |
Would concatenating those intermediate certificates alongside your |
It should work. Working on fix. |
@alexlamsl did you mean something like
|
@fastner I just did it on the
And then specify only |
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772
@alexlamsl Your solution to concatenate cert and intermediates works well - thanks for the solution. |
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772 PR-URL: nodejs#3537 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772 PR-URL: nodejs#3537 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Maybe it's a dumb question or the wrong place to ask, but is the |
If I give key, cert and ca via options field to https.createServer the whole key chain is returned on connection (correct behaviour). If I try to do the same via SNICallback it is not possible to set whole key chain.
Example code:
Now try to connect via openssl:
Expected and real behaviour is
Verify return code: 0 (OK)
.If I remove the ca in options map like this
and rerun openssl client the return code is
Verify return code: 21 (unable to verify the first certificate)
which indicates that not the whole key chain is returned.The expected behaviour is
Verify return code: 0 (OK)
as the ca field is given totls.createSecureContext
.This occures in io.js 3.x and Node.js 4.0.0.
The text was updated successfully, but these errors were encountered: