Node.js版本:11.2.0
操作系统:debian
范围(安装,代码,运行时,元数据等):在tls握手中出现“无客户端证书方法”的问题
模块(和版本)(如果有):openssl节点tls clientCertEngine
在尝试使用存储私钥的硬件安全模块时遇到问题。 (不可读/不可导出)
没有HSM,就没有问题。也许我打错了clientCertEngine?还是存在不允许我们输入-keyform e的问题?
尽管使用s_client的工作原理如下:
openssl s_client -host myHost.com -port 3000 -key fake.key -cert device.crt -CAfile ca.crt -engine hsm_engine -keyform e
运行客户端节点tls connect时:
_tls_common.js:204 c.context.setClientCertEngine(options.clientCertEngine);
Error: error:1412214B:SSL routines:SSL_CTX_set_client_cert_engine:no client cert method
at Object.createSecureContext (_tls_common.js:204:17)
at Object.connect (_tls_wrap.js:1205:48)
at Object. (/home/pi/test/tls.js:20:19)
at Module._compile (internal/modules/cjs/loader.js:722:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:733:10)
at Module.load (internal/modules/cjs/loader.js:620:32)
at tryModuleLoad (internal/modules/cjs/loader.js:560:12)
at Function.Module._load (internal/modules/cjs/loader.js:552:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:775:12)
at startup (internal/bootstrap/node.js:300:19)
和js代码
const tls = require('tls');
const fs = require('fs');
const options = { // key: null //cannot be exported nor read. Ive tried with both null and removed key entirely
cert: fs.readFileSync('client.crt'),
clientCertEngine: '/path/to/hsm/.so file',
ca: [fs.readFileSync('ca.crt')], };
const socket =tls.connect({
host: 'myHost.com',
port: 3000 },
options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized');
process.stdin.pipe(socket);
process.stdin.resume(); });
socket.setEncoding('utf8');
socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });