Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to set CA or other XHR options on initial handshake #421

Comments

@mattydoincode
Copy link

Hello!

I have the unfortunate challenge of trying to get an application working in a corporate/government type environment where all traffic is behind a firewall that decrypts/encrypts traffic to the outside world. The general way we get around that is that in the browser, the browser itself handles the SSL proxy problem, but when running node (in electron, for example) we need to manually say "hey node, use this certificate authority". Example:

https.globalAgent.options.ca = myListOfCerts;

This sets it so that all normal XHR calls to the outside world running in nodejs use this trusted list of certs.

Sockjs, however, is ignoring the global agent (i'm sure for good reason) when making the initial XHR request to the outside world before upgrading to the wss connection. This ignores the global ca option, and sockjs does not currently provide a way to pass through "xhrOptions" or whatever we would like to call them so that we can manually set them.

I'd like to propose allowing xhrOptions to be passed in. I have forked the project for my own purposes, but think it would be a great feature and would be happy to set that PR up if this idea is well received.

Thanks!

@brycekahle
Copy link
Contributor

@mattydoincode I don't see any code that is intentionally ignoring the globalAgent. Can you link me to your changes?

@mcw8d
Copy link

mcw8d commented Jan 17, 2019

@brycekahle I also just ran into a similar problem. I think the issue is that SockJS sets agent: false here. The Node documentation says that agent: false will create a one-time use Agent with default options. From what I can tell that one time use agent seems to ignore environment variables and command line options. The only way I could get my code to connect was to delete that line. Is there a particular reason for using agent: false?

@brycekahle
Copy link
Contributor

@mcw8d Which environment variable are you trying to set that is being ignored?

@mcw8d
Copy link

mcw8d commented Jan 17, 2019

@brycekahle for some context, the server I'm trying to connect to has a cert signed by a CA that I'm pretty sure is loaded into my machine (Chrome, Firefox, curl are all fine with it). I am on a CentOS box using Node 8.11.4 and sockjs-client 1.3.0.
I'm definitely not an expert on the TLS stuff and using certs, but I was trying the following:

  • --use-openssl-ca - Since curl doesn't have a problem I thought this might work, but it didn't regardless of the agent: false line
  • Setting NODE_TLS_REJECT_UNAUTHORIZED=0 - Worked, but only if the agent: false line was removed.

@brycekahle
Copy link
Contributor

@mcw8d Ok, that makes sense. I don't remember why the agent: false line was added, but I'm sure there was a good reason. Let me see if I can figure that out, and that will inform whether it can be removed or not.

@lucasvwamp
Copy link

Any update on this? Not being able to provide a CA or rejectUnauthorized is a pretty big hangup

@brycekahle
Copy link
Contributor

1.6.0 was just published with this fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment