关于this question,我试图在node.js中启动一个TLS服务器,以反映我在OpenSSL中创建的服务器。我已经从命令行使用OpenSSL测试了客户端和服务器,并且他们成功建立了连接。当我尝试将服务器移植到node.js(并仍然使用OpenSSL客户端连接到它)时,我收到“无共享密码”错误。我想知道在passphrase使用tls.createServer()选项时我需要做些什么特别的事情
以下是我成功分别为服务器和客户端提供的OpenSSL命令,请注意,passphrase.txt文件包含一行密码:
$ openssl s_server -accept 8888 -cert server.cert -key server.key -pass file:passphrase.txt -CAfile ca.cert
$ openssl s_client -connect 127.0.0.1:8888 -cert client.cert -key client.key -pass file:passphrase.txt -CAfile ca.cert
如果我使用附加参数-cipher 'ECDHE-ECDSA-AES128-GCM-SHA256'为客户端和/或服务器指定密码,我也可以成功建立连接。我正在使用openssl ecparam生成的椭圆曲线密钥,并使用openssl ca创建的CA进行签名,如previous question中所述。
用node.js编写的服务器代码如下所示:
var tls = require('tls');
var fs = require('fs');
var msg = '***********\n\nHello there secure client!\n\n***********';
var port = 8888;
var host = 'localhost';
var options = {
cert : fs.readFileSync('server.cert'),
key : fs.readFileSync('server.key'),
passphrase : (fs.readFileSync('passphrase.txt')).toString(),
ca : fs.readFileSync('ca.cert'),
// ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256',
// requestCert : true,
// rejectUnauthorized : true
};
tls.createServer(options, function(cleartextStream) {
if (cleartextStream.authorized) {
console.log('Server-side connection authorized by a Certificate Authority.');
} else {
// TODO this code does not appear to get executed even on failed connections
console.log('Server-side connection not authorized: ' + cleartextStream.authorizationError);
}
// send the server message to the client
cleartextStream.write(msg);
cleartextStream.setEncoding('utf8');
cleartextStream.pipe(cleartextStream);
}).listen(port, function() {
console.log('Server started on port: ' + port);
}).on('clientError', function(err){
console.log('A failed client connection attempt occurred.');
console.error(err);
console.log();
});
在使用node tlsServer.js调用上述代码并尝试在命令行上与OpenSSL客户端连接后,我收到以下消息。
SERVER:
$ node tlsServer.js
Server started on port: 8888
<< client started here >>
A failed client connection attempt occurred.
[Error: 6396:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:openssl\ssl\s3_srvr.c:1132:
]
客户端:
$ openssl s_client -connect 127.0.0.1:8888 -cert client.cert -key client.key -pass file:passphrase.txt -CAfile ca.cert
CONNECTED(00000003)
2674688:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
我正在使用节点v0.6.15。当我取消注释发送到ciphers的选项列表中的requestCert,rejectUnauthorized和tls.createServer()时,错误不会更改。我还有一个客户端的node.js版本,当我尝试连接到节点服务器时,我得到一个套接字挂断代码ECONNRESET,并在尝试连接到OpenSSL服务器时出现以下错误:
Connection to localhost:8888 could not be made.
[Error: 6968:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:openssl\ssl\s23_clnt.c:602:
]
提前感谢您的帮助和想法!
答案 0 :(得分:0)
如果密码错误,也许。尝试删除它。
但是,当客户端无法与服务器达成密码协议时,no_shared_cipher会引发错误。首先尝试删除服务器上的密码套装限制,并查看它协商用于隔离问题的内容。如果这样做,那么在客户端放置一个,看看会发生什么。
此外,您是否可以检查该节点是否使用与openssl命令相同的openssl库。