主机名/IP与证书的altname不匹配 [英] Hostname / IP doesn't match certificate's altname

问题描述

我正在尝试使用带有自签名证书的Node.js 0.8.8创建TLS服务器/客户端设置.

I am trying to create a TLS server / client setup using Node.js 0.8.8 with a self-signed certificate.

基本服务器代码如下

var tlsServer = tls.createServer({
  key: fs.readFileSync('server-key.pem'),
  cert: fs.readFileSync('server-cert.pem')
}, function (connection) {
  // [...]
});
tlsServer.listen(3000);

现在，当我尝试连接到该服务器时，我使用以下代码:

Now when I try to connect to this server I use the following code:

var connection = tls.connect({
  host: '192.168.178.31',
  port: 3000,

  rejectUnauthorized: true,
  ca: [ fs.readFileSync('server-cert.pem') ]
}, function () {
  console.log(connection.authorized);
  console.log(connection.authorizationError);
  console.log(connection.getPeerCertificate());
});

如果我删除行

ca: [ fs.readFileSync('server-cert.pem') ]

在客户端代码中，Node.js抛出一个错误，告诉我DEPTH_ZERO_SELF_SIGNED_CERT.据我了解，这是由于它是一个自签名证书，没有其他方信任此证书.

from the client-side code, Node.js throws an error telling me DEPTH_ZERO_SELF_SIGNED_CERT. As far as I understand it this is due to the fact that it is a self-signed cert and there is no other party who trusts this certificate.

如果我删除

rejectUnauthorized: true,

同样

，错误消失了-但connection.authorized等于false，这实际上意味着我的连接未加密.无论如何，使用getPeerCertificate()我可以访问服务器发送的证书.由于我想强制执行加密连接，因此我了解到我可能不会删除此行.

as well, the error is gone - but connection.authorized is equal to false which effectively means that my connection is not encrypted. Anyway, using getPeerCertificate() I can access the certificate sent by the server. As I want to enforce an encrypted connection, I understand that I may not remove this line.

现在，我读到可以使用ca属性指定我希望Node.js信任的任何CA. TLS模块的文档意味着将服务器证书添加到数组，然后一切都会好起来.

Now I read that I can use the ca property to specify any CA that I want Node.js to trust. The documentation of the TLS module implies that it's enough to add the server certificate to the ca array, and then everything should be fine.

如果我这样做了，这个错误就消失了，但是我得到了一个新错误:

If I do that, this error is gone, but I get a new one:

Hostname/IP doesn't match certificate's altnames

对我来说，这意味着该CA现在基本上是受信任的了，因此现在还可以，但是该证书是为我使用的另一台主机制作的.

To me this means that the CA is now basically trusted, hence that's okay now, but the certificate was made for another host than the one I use.

我使用创建证书

$ openssl genrsa -out server-key.pem 2048
$ openssl req -new -key server-key.pem -out server-csr.pem
$ openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem

正如文档所暗示的那样.创建CSR时，系统会询问我一些常见的问题，例如国家，州，...和通用名(CN).正如被告知在网络上"获取SSL证书时，您不将您的名称提供为CN，但是您要使用的主机名.

as the documentation implies. When creating the CSR I am asked the usual questions, such as for country, state, ... and common name (CN). As you are told "on the web" for an SSL certificate you do not provide your name as CN, but the host name you would like to use.

这可能是我失败的地方.

And this is probably where I fail.

我尝试过

• localhost
• 192.168.178.31
• eisbaer
• eisbaer.fritz.box

• localhost
• 192.168.178.31
• eisbaer
• eisbaer.fritz.box

最后两个是我的计算机的本地名称和完全限定的本地名称.

where the last two are the local name and the fully qualified local name of my machine.

你知道我在做什么错吗?

Any idea what I am doing wrong here?

推荐答案

最近有一个除了node.js ，它允许使用自定义功能覆盖主机名检查.它已添加到v0.11.14，并将在下一个稳定版本(0.12)中可用.现在您可以执行以下操作:

Recently there was an addition to node.js which allows overriding hostname check with a custom function. It was added to v0.11.14 and will be available in the next stable release (0.12). Now you can do something like:

var options = {
  host: '192.168.178.31',
  port: 3000,
  ca: [ fs.readFileSync('server-cert.pem') ],
  checkServerIdentity: function (host, cert) {
    return undefined;
  }
};
options.agent = new https.Agent(options);
var req = https.request(options, function (res) {
  //...
});

这现在将接受任何服务器身份，但仍会加密连接并验证密钥.

This will now accept any server identity, but still encrypt the connection and verify keys.

注意，在以前的版本(例如v0.11.14)中，checkServerIdentity将返回表示服务器有效性的boolean.如果存在问题，则已将其更改为v4.3.1之前(而不是throw ing)为错误，而将undefined更改为有效.

Note that in previous versions (e.g. v0.11.14), the checkServerIdentity was to return a boolean indicating the validity of the server. That has been changed (before v4.3.1) to the function returning (not throwing) an error if there is a problem and undefined if there is it's valid.

这篇关于主机名/IP与证书的altname不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！