Різне

TLS (SSL) Node.js v0.12.7 Manual & Documentation

09.10.2015

TLS (SSL) #

Use require('tls') to access this module.

The tls uses module OpenSSL to provide Transport Layer Security and/or Secure Socket Layer: encrypted stream communication.

TLS/SSL is a public/private key infrastructure. Each client and each server must have a private key. A private key is created like this:

All servers and some clients need to have a certificate. Certificates are public keys signed by a Certificate Authority or self-signed. The first step to getting a certificate is to create a «Certificate Signing Request» (CSR) file. This is done with:

To create a self-signed with the certificate CSR, do this:

Alternatively you can send the CSR to a Certificate Authority for signing.

(TODO: docs on creating a CA, for now interested users should just look at test/fixtures/keys/Makefile in the Node source code)

To create .pfx or .p12, do this:

  • in. certificate
  • inkey. private key
  • certfile. all CA certs concatenated in one file like cat ca1-cert.pem ca2-cert.pem > ca-cert.pem

Protocol support #

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these protocols are disabled. They are considered insecure and could be easily compromised as was shown by CVE-2014-3566. However, in some situations, it may cause problems with legacy clients/servers (such as Internet Explorer 6). If you wish to enable SSLv2 or SSLv3, run node with the -enable-ssl2 or -enable-ssl3 flag respectively. In future versions of Node.js SSLv2 and SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly specifying secureProtocol to 'SSLv3_method' or 'SSLv2_method' .

The default protocol method Node.js uses is SSLv23_method which would be more accurately named AutoNegotiate_method. This method will try and negotiate from the highest level down to whatever the client supports. To provide a secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3 and SSLv2 by setting the secureOptions to be SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2 (again, unless you have passed -enable-ssl3. or -enable-ssl2. or SSLv3_method as secureProtocol ).

If you have set secureOptions to anything, we will not override your options.

The ramifications behavior of this change:

  • If your application is behaving as a secure server, clients who are SSLv3 only will now not be able to appropriately negotiate a connection and will be refused. In this case your server will emit a clientError event. The error message will include 'wrong version number' .
  • If your application is behaving as a secure client and communicating with a server that doesn't support methods more secure than SSLv3 then your connection won't be able to negotiate and will fail. In this case your client will emit a an error event. The error message will include 'wrong version number' .

Client-ініціював renegotiation attack mitigation #

The TLS protocol lets the client renegotiate certain aspects of the TLS session. Unfortunately, session renegotiation requires a disproportional amount of server-side resources, which makes it a potential vector for denial-of-service attacks.

To mitigate this, renegotiations are limited to three times every 10 хвилин. An error is emitted on the tls.TLSSocket instance when the threshold is exceeded. The limits are configurable:

tls.CLIENT_RENEG_LIMIT. renegotiation limit, default is 3.

tls.CLIENT_RENEG_WINDOW. renegotiation window in seconds, default is 10 minutes.

Don't change the defaults unless you know what you are doing.

To test your server, connect to it with openssl s_client-connect address:port tap and R (that's the letter R followed by a carriage return) a few times.

NPN and SNI #

NPN (Next Protocol Negotiation) and SNI (Server Name Indication) are TLS handshake extensions allowing you:

  • NPN — to use one TLS server for multiple protocols (HTTP, SPDY)
  • SNI — to use one TLS server for multiple hostnames with different SSL certificates.

Perfect Forward Secrecy #

The term «Forward Secrecy » або «Perfect Forward Secrecy» describes a feature of key-agreement (i.e. key-exchange) methods. Practically it means that even if the private key of a (your server is compromised, communication can only be decrypted by eavesdroppers if they manage to obtain the key-pair specifically generated for each session.

This is achieved by randomly generating a key pair for key-agreement on every handshake (in contrary to the same key for all sessions). Methods implementing this technique, thus offering Perfect Forward Secrecy, are called «ephemeral».

Currently two methods are commonly used to achieve Perfect Forward Secrecy (note the character «Е» appended to the traditional abbreviations):

  • DHE — An ephemeral version of the Diffie Hellman key-agreement protocol.
  • ECDHE — An ephemeral version of the Elliptic Curve Diffie Hellman key-agreement protocol.

Ephemeral methods may have some performance drawbacks, because key generation is expensive.

tls.getCiphers() #

Returns an array with the names of the supported SSL ciphers.

Example:

tls.createServer(options[, secureConnectionListener]) #

Creates a new tls.Server. The connectionListener argument is automatically set as a listener for the secureConnection event. The options object has these possibilities:

pfx. A string or Buffer containing the private key, certificate and CA certs of the server in PFX or PKCS12 format. (Mutually exclusive with the key. cert and ca options.)

key. A string or Buffer containing the private key of the server in PEM format. (Could be an array of keys). (Required)

passphrase. A string of passphrase for the private key or pfx.

cert. A string or Buffer containing the key certificate of the server in PEM format. (Could be an array of certs). (Required)

ca. An array of strings or Buffer s of trusted certificates in PEM format. If this is omitted several well known «root» CAs will be used, like VeriSign. These are used to authorize connections.

crl. Either a string or list of strings of PEM encoded CRLs (Certificate Revocation List)

ciphers. A string describing the ciphers to use or exclude.

To mitigate BEAST attacks it is recommended that you use this option in conjunction with the honorCipherOrder option described below to prioritize the non-CBC cipher.

Defaults to ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL. Consult the OpenSSL cipher list format documentation for details on the format.

ECDHE-RSA-AES128-SHA256. DHE-RSA-AES128-SHA256 and AES128-GCM-SHA256 are TLS v1.2 ciphers and used when Node.js is linked against OpenSSL 1.0.1 or newer, such as the bundled version of OpenSSL. Note that it is still possible for a TLS v1.2 client to negotiate a weaker cipher unless honorCipherOrder is enabled.

RC4 is used as a fallback for clients that speak on older version of the TLS protocol. RC4 has in recent years come under suspicion and should be considered compromised for anything that is truly sensitive. It is міркували that state-level actors possess the ability to break it.

ПРИМІТКА. Previous revisions of this section suggested AES256-SHA as an acceptable cipher. Unfortunately, AES256-SHA is a CBC cipher and therefore susceptible to BEAST attacks. Do not use it.

ecdhCurve. A string describing a named curve to use for ECDH key agreement or false to disable ECDH.

Defaults to prime256v1. Consult RFC 4492 for more details.

dhparam. DH parameter file to use for DHE key agreement. Use openssl dhparam command to create it. If the file is invalid to load, it is silently discarded.

handshakeTimeout. Abort the connection if the SSL/TLS handshake does not finish in this many milliseconds. The default is 120 seconds.

A 'clientError' is emitted on the tls.Server object whenever a handshake times out.

honorCipherOrder. When choosing a cipher, use the server's preferences instead of the system preferences.

Although, this option is disabled by default, it is recommended that you use this option in conjunction with the ciphers option to mitigate BEAST attacks.

Note: If SSLv2 is used, the server will send its list of preferences to the client and the client chooses the cipher. Support for SSLv2 is disabled unless node.js was configured with ./configure -with-sslv2 .

requestCert. If true, the server will request a certificate from clients that connect and attempt to verify that certificate. Default: false .

rejectUnauthorized. If true, the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert is true. Default: false .

checkServerIdentity(servername, cert). Provide an override for checking server's hostname against the certificate. Should return an error if verification fails. Return undefined if passing.

NPNProtocols. An array or Buffer of possible NPN protocols. (Protocols should be ordered by their priority).

SNICallback(servername, cb). A function that will be called if client supports SNI TLS extension. Two argument will be passed to it: servername. and cb. SNICallback should invoke cb(null, ctx). where ctx is a SecureContext instance. (You can use tls.createSecureContext(. ) to get proper SecureContext). If SNICallback wasn't provided — default callback with high-level API will be used (see below).

sessionTimeout. An integer specifying the seconds after which TLS session identifiers and TLS session tickets created by the server are timed out. See SSL_CTX_set_timeout for more details.

ticketKeys. A 48-byte Buffer instance consisting of 16-byte prefix, 16-byte hmac key, 16-byte AES key. You could use it to accept tls session tickets on multiple instances of tls server.

NOTE: Automatically shared between cluster module workers.

sessionIdContext. A string containing an opaque identifier for session resumption. If requestCert is true. the default is MD5 hash value generated from command-line. Otherwise, the default is not provided.

secureProtocol. The SSL method to use, e.g. SSLv3_method to force SSL version 3. The possible values depend on your installation of OpenSSL and are defined in the constant SSL_METHODS .

secureOptions. Set server options. For example, to disable the SSLv3 protocol set the SSL_OP_NO_SSLv3 flag. See SSL_CTX_set_options for all available options.

Here is a simple example echo server:

You can test this server by connecting to it with openssl s_client :

tls.connect(options[, callback]) #
tls.connect(port[, host][, options][, callback]) #

Creates a new client connection to the given port and host (old API) or options.port and options.host. (If host is omitted, it defaults to localhost .) options should be an object which specifies:

host. Host the client should connect to

port. Port the client should connect to

socket. Establish secure connection on a given socket rather than creating a new socket. If this option is specified, host and port are ignored.

path. Creates unix socket connection to path. If this option is specified, host and port are ignored.

ciphers. A string describing the ciphers to use or exclude.

Defaults to ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL. Consult the OpenSSL cipher list format documentation for details on the format.

The full list of available ciphers can be obtained via tls.getCiphers .

ECDHE-RSA-AES128-SHA256. DHE-RSA-AES128-SHA256 and AES128-GCM-SHA256 are TLS v1.2 ciphers and used when Node.js is linked against OpenSSL 1.0.1 or newer, such as the bundled version of OpenSSL.

pfx. A string or Buffer containing the private key, certificate and CA certs of the client in PFX or PKCS12 format.

key. A string or Buffer containing the private key of the client in PEM format. (Could be an array of keys).

passphrase. A string of passphrase for the private key or pfx.

cert. A string or Buffer containing the key certificate of the client in PEM format. (Could be an array of certs).

ca. An array of strings or Buffer s of trusted certificates in PEM format. If this is omitted several well known «root» CAs will be used, like VeriSign. These are used to authorize connections.

rejectUnauthorized. If true. the server certificate is verified against the list of supplied CAs. An 'error' event is emitted if verification fails; err.code contains the OpenSSL error code. Default: true .

NPNProtocols. An array of strings or Buffer s containing supported NPN protocols. Buffer s should have following format: 0x05hello0x05world. where first byte is next protocol name's length. (Passing array should usually be much simpler: ['hello', 'world'] .)

servername. Servername for SNI (Server Name Indication) TLS extension.

secureProtocol. The SSL method to use, e.g. SSLv3_method to force SSL version 3. The possible values depend on your installation of OpenSSL and are defined in the constant SSL_METHODS .

session. A Buffer instance, containing TLS session.

tls.connect() повертає tls.TLSSocket object.

Class: tls.TLSSocket #

Wrapper for instance of net.Socket. replaces internal socket read/write routines to perform transparent encryption/decryption of incoming/outgoing data.

new tls.TLSSocket(socket, options) #

SNICallback. Optional, see tls.createServer

session. Optional, a Buffer instance, containing TLS session

requestOCSP. Optional, if true — OCSP status request extension would be added to client hello, and OCSPResponse event will be emitted on socket before establishing secure communication

tls.createSecureContext(details) #

Creates a credentials object, with the optional details being a dictionary with keys:

  • pfx. A string or holding the buffer PFX or PKCS12 encoded private key, CA certificate and certificates
  • key. A string holding the PEM encoded private key
  • passphrase. A string of passphrase for the private key or pfx
  • cert. A string holding the PEM encoded certificate
  • ca. Either a string or list of strings of PEM encoded CA certificate to trust.
  • crl. Either a string or list of strings of PEM encoded CRLs (Certificate Revocation List)
  • ciphers. A string describing the ciphers to use or exclude. Consult http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT for details on the format.
  • honorCipherOrder. When choosing a cipher, use the server's preferences instead of the system preferences. For further details see tls module documentation.

If no 'ca' details are given, then node.js will use the default publicly trusted list of CAs as given in

tls.createSecurePair([context][, isServer][, requestCert][, rejectUnauthorized]) #

Creates a new secure pair object with two streams, one of which reads/writes encrypted data, and one reads/writes cleartext data. Generally the encrypted one is piped to/from an incoming encrypted data stream, and the cleartext one is used as a replacement for the initial encrypted stream.

credentials. A secure context object from tls.createSecureContext(. )

isServer. A boolean indicating whether this tls connection should be opened as a server or a client.

requestCert. A boolean indicating whether a server should request a certificate from a connecting client. Only applies to server connections.

rejectUnauthorized. A boolean indicating whether a server should automatically reject clients with invalid certificates. Only applies to servers with requestCert enabled.

tls.createSecurePair() повертає SecurePair object with cleartext encrypted and stream properties.

NOTE: cleartext has the same APIs as tls.TLSSocket

Class: SecurePair #

Returned by tls.createSecurePair.

Event: 'secure' #

The event is emitted from the SecurePair once the pair has successfully established a secure connection.

Similarly to the checking for the server 'secureConnection' event, pair.cleartext.authorized should be checked whether to confirm the certificate used properly authorized.

Class: tls.Server #

This class is a subclass of net.Server and has the same methods on it. Instead of accepting just raw TCP connections, this accepts encrypted connections using TLS or SSL.

Event: 'secureConnection' #

function (tlsSocket)

This event is emitted after a new connection has been successfully handshaked. The argument is an instance of tls.TLSSocket. It has all the common stream methods and events.

socket.authorized is a boolean value which indicates if the system has verified by one of the supplied certificate authorities for the server. If socket.authorized is false then socket.authorizationError is set to describe how authorization failed. Implied but worth mentioning: depending on the settings of the TLS server, you unauthorized connections may be accepted. socket.npnProtocol is a string containing selected NPN protocol. socket.servername is a string containing servername requested with SNI.

Event: 'clientError' #

function (exception, tlsSocket)

When a client connection emits an 'error' event before secure connection is established — it will be forwarded here.

tlsSocket is the tls.TLSSocket that the error originated from.

Event: 'newSession' #

function (sessionId, sessionData, callback)

Emitted on creation of TLS session. May be used to store sessions in external storage. callback must be invoked eventually, otherwise no data will be sent or received from secure connection.

NOTE: adding this event listener will have an effect only on connections established after addition of event listener.

Event: 'resumeSession' #

function (sessionId, callback)

Emitted when client wants to resume previous TLS session. Event listener may perform lookup in external storage using given sessionId. and invoke callback(null, sessionData) once finished. If session can't be resumed (i.e. doesn't exist in storage) one may call callback(null, null). Calling callback(err) will terminate incoming connection and destroy socket.

NOTE: adding this event listener will have an effect only on connections established after addition of event listener.

Event: 'OCSPRequest' #

function (certificate, issuer, callback)

Emitted when the client sends a certificate status request. You could parse server's current certificate to obtain OCSP url and certificate id, and after obtaining OCSP response invoke callback(null, resp). where resp is a Buffer instance. Both certificate and issuer are a Buffer DER-representations of the primary and issuer's certificates. They could be used to obtain OCSP certificate id and OCSP endpoint url.

Alternatively, callback(null, null) could be called, meaning that there is no OCSP response.

Calling callback(err) will result in a socket.destroy(err) call.

Typical flow:

  1. Client connects to server and sends OCSPRequest to it (via status info extension in ClientHello.)
  2. Server receives request and invokes OCSPRequest event listener if present
  3. Server grabs OCSP url from either certificate or issuer and performs an OCSP request to the CA
  4. Server receives OCSPResponse from CA and sends it back to client via callback argument
  5. Client validates the response and either destroys socket or performs a handshake.

NOTE: issuer could be null, if the certificate is self-signed or if the issuer is not in the root certificates list. (You could provide an issuer via ca option.)

NOTE: adding this event listener will have an effect only on connections established after addition of event listener.

NOTE: you may want to use some npm module like asn1.js to parse the certificates.

server.слухати(port[, host][, callback]) #

Begin accepting connections on the specified port and host. If the host is omitted, the server will accept connections directed to any IPv4 address ( INADDR_ANY ).

This function is asynchronous. The last parameter callback will be called when the server has been bound.

See net.Server for more information.

server.close() #

Stops from the server accepting new connections. This function is asynchronous, the server is finally closed when the server emits a 'close' event.

server.address() #

Returns the bound address, the address family name and port of the server as reported by the operating system. See net.Server.address() for more information.

server.addContext(hostname, context) #

Add secure context that will be used if client request's SNI hostname is matching passed hostname (wildcards can be used). context can contain key. cert. ca and/or any other properties from tls.createSecureContext options argument.

Короткий опис статті: create ssl certificate

Джерело: TLS (SSL) Node.js v0.12.7 Manual & Documentation

Також ви можете прочитати