Socket.io + SSL + self-signed CA certificate gives

2019-01-26 11:12发布

站内问答 / 后端开发
1305 4 4

I am running an https server using a certificate which was created using a self-signed CA certificate.

Now I want to connect Socket.io client to the Socket.io server that is attached to the https server. Unfortunately, I get an error, telling me:

Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
    at SecurePair.<anonymous> (tls.js:1271:32)
    at SecurePair.EventEmitter.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:883:10)
    at CleartextStream.read [as _read] (tls.js:421:15)
    at CleartextStream.Readable.read (_stream_readable.js:293:10)
    at EncryptedStream.write [as _write] (tls.js:330:25)
    at doWrite (_stream_writable.js:211:10)
    at writeOrBuffer (_stream_writable.js:201:5)
    at EncryptedStream.Writable.write (_stream_writable.js:172:11)
    at write (_stream_readable.js:547:24)
    at flow (_stream_readable.js:556:7)

Basically, this error tells me that the certificate could not be verified successfully. This is due to the fact the the according CA certificate is self-signed. When using a https request, I can specify CAs whom I trust.

How can I make Socket.io connect in this case?

PS: I am running Node.js 0.10.0 and Socket.io 0.9.13.

4条回答
Anthone
2楼-- · 2019-01-26 11:46

Don’t use self signed certificates. Just don’t, some browsers give you no way of accepting them when using WebSockets. And you look like a cheap d*ck for not buying a proper cert.

From They see me pollin, they hatin (p. 23). A presentation by Arnout Kazemier (3rdEden), core team member of Socket.IO.

查看更多
0人赞 添加讨论(0) 举报
神经病院院长
3楼-- · 2019-01-26 11:49

four years later but for any finding this post like me if you need to force client socket to not reject a self-signed server cert you need rejectUnauthorized: false as in const socket = require('socket.io-client')('https://192.168.0.31', { transports: ['websocket'], rejectUnauthorized: false }) from https://github.com/socketio/engine.io-client#methods

also there is now a good source for free certs so now you don't even have to be "cheap d*ck" https://letsencrypt.org/

查看更多
0人赞 添加讨论(0) 举报
冷血范
4楼-- · 2019-01-26 11:56

For socket.io 1.0 (not sure about 0.9), there are details of how to get the node client to connect to an invalid cert here: https://stackoverflow.com/a/24235426. (Thanks to @3rdEden's comment above.) I find that self-signed SSL certs can be convenient for development servers.

查看更多
0人赞 添加讨论(0) 举报
【Aperson】
5楼-- · 2019-01-26 11:57

Check here on how to use self-signed certificates for Certificate Signing Request. You must specify the following to allow connections using self signed certificates:

  1. key: A string or Buffer containing the private key of the client in PEM format.
  2. cert: A string or Buffer containing the certificate key of the client in PEM format.
  3. ca: An array of strings or Buffers of trusted certificates. If this is omitted several well known "root" CAs will be used, like VeriSign. These are used to authorize connections.

To create a self-signed certificate with the CSR, do this:

openssl x509 -req -in ryans-csr.pem -signkey ryans-key.pem -out ryans-cert.pem

In the client the socket should be used as

var socket = io.connect('https://localhost', {secure: true});
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)