I was using iojs and koa in my application and recently I decided to update iojs to nodejs v4.4.4. The update was very smooth and my application was running in no time. The problem is that I am using a self signed SSL certificate on my development machine, and after I updated to nodejs I receive the following message when I try to access the website:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
I am using nvm so I tried switching to iojs and the website was working again.
After some reading I found out that I have to update the openssl to version 1.0.2g instead of the 1.0.1g that I used to create the .key and .crt files. So I updated openssl and generated new key and certificate files like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Sadly this did not resolve the issue.
This is the code that I use to setup the https on the server:
let sslOptions = { key: fs.readFileSync('/etc/apache2/ssl/apache.key'), cert: fs.readFileSync('/etc/apache2/ssl/apache.crt') }; let server = require('https').createServer(sslOptions, app.callback()) Am I doing something wrong? Why does it work with iojs and does not work with nodejs?
2 Answers
Answers 1
There will be a truststore (keystore) file, where all trusted certificates need to be registered. You will have to register this newly created certificate there. Client uses that truststore file to check whether a certificate can be trusted or not.
For more details you can take reference from below link :-
Creating Self Signed Certificates (openssl & keytool)
I hope it helps.
Answers 2
Judging by the error message there is nothing wrong with the self signed certificate. But the 'server' offering the ssl connection doesn't support a suitable combination of protocol version an cipher suite.
openssl s_client -connect localhost:443 or more verbose
openssl s_client -connect localhost:443 -debug might tell you what's going wrong during the ssl handshake.
You can also find out what combinations are provided with a tool called sslscan
apt-get install sslscan sslscan localhost:443 sslscan localhost:443 | grep Accepted In the end you'll want to configure the ciphersuites your https server offers by providing more ssloptions.
0 comments:
Post a Comment