Skip to content

Instantly share code, notes, and snippets.

@sandfox
Created February 15, 2012 00:11
Show Gist options
  • Save sandfox/1831932 to your computer and use it in GitHub Desktop.
Save sandfox/1831932 to your computer and use it in GitHub Desktop.
TLS certificate inspection example (using nodejs)
###
#Step 1 - Generate server certificates etc... (most of this code is horribly ripped off from nodejs docs currently -> http://nodejs.org/docs/latest/api/tls.html)
###
#Assuming your starting from a clean directory
mkdir server
cd server
#generate private key
openssl genrsa -out server-private-key.pem 4096
#generate signing request
openssl req -new -key server-private-key.pem -out server-certificate-signing-request.pem
#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in server-certificate-signing-request.pem -signkey server-private-key.pem -out server-certificate.pem
###
#Step 2 - now for the client certificates
###
cd ../
mkdir client
cd client
#generate private key
openssl genrsa -out client-private-key.pem 4096
#generate signing request
openssl req -new -key client-private-key.pem -out client-certificate-signing-request.pem
#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in client-certificate-signing-request.pem -signkey client-private-key.pem -out client-certificate.pem
###
# Step 3 - create some code (copy + pasta)
###
# Copy the server.js file to the server folder, and the client.js file to client folder
# Make sure you have 2 terminal windows open
# Goto the server folder in terminal window 1
sudo node server.js
# Goto the client folder in terminal window 2
node client.js
# See output in terminal window 1
# Profit (or better yet improve this code so it's actually more useful
var tls = require('tls');
var fs = require('fs');
var options = {
// These are necessary only if using the client certificate authentication (so yeah, you need them)
key: fs.readFileSync('client-private-key.pem'),
cert: fs.readFileSync('client-certificate.pem'),
// This is necessary only if the server uses the self-signed certificate
ca: [ fs.readFileSync('../server/server-certificate.pem') ]
};
var cleartextStream = tls.connect(443, options, function() {
console.log('client connected',
cleartextStream.authorized ? 'authorized' : 'unauthorized');
process.stdin.pipe(cleartextStream);
process.stdin.resume();
});
cleartextStream.setEncoding('utf8');
cleartextStream.on('data', function(data) {
console.log(data);
});
cleartextStream.on('end', function() {
server.close();
});
var tls = require('tls');
var fs = require('fs');
var options = {
key: fs.readFileSync('server-private-key.pem'),
cert: fs.readFileSync('server-certificate.pem'),
// This is necessary only if using the client certificate authentication.
// Without this some clients don't bother sending certificates at all, some do
requestCert: true,
// Do we reject anyone who certs who haven't been signed by our recognised certificate authorities
rejectUnauthorized: true
// This is necessary only if the client uses the self-signed certificate and you care about implicit authorization
ca: [ fs.readFileSync('../client/client-certificate.pem') ]
};
var server = tls.createServer(options, function(cleartextStream) {
//Show the certificate info as supplied by the client
console.log(cleartextStream.getPeerCertificate());
console.log('server connected',
cleartextStream.authorized ? 'authorized' : 'unauthorized');
cleartextStream.write("welcome!\n");
cleartextStream.setEncoding('utf8');
cleartextStream.pipe(cleartextStream);
});
server.listen(443, function() {
console.log('server bound');
});
@anhldbk
Copy link

anhldbk commented Aug 29, 2016

@sandfox: at line #24, client.js, where do you get variable server defined?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment