The ca option is not passed to node-socket instances

Question

The ca option is not passed to node-socket instances

captainmuppet opened this issue 6 years ago · 5 comments

CA certificates are not passed to the net.tls.connect() function and the socket can not be upgraded if the server uses a certificate that is not in the mozilla CA Certificate Store.

Use-case: IMAP connection using emailjs-imap-client to internal servers.

Answer 1 · 2019-04-12T14:15:46.000Z

Fixed by #67

The webpack version installed by running npm install can not be used to build the project, but webpack@4.19.1 works fine.
Please consider adding a package-lock or npm-shrinkwrap file.

Answer 2 · 2019-04-18T10:58:55.000Z

The node socket does not consume this option... Add the missing cert to your cert store intead.
https://nodejs.org/dist/latest-v11.x/docs/api/net.html#net_socket_connect_options_connectlistener

Answer 3 · 2019-04-18T11:11:37.000Z

True, but tls.connect does. That's why I used it twice (constructor / upgradeToSecure).

Last entry for tls.connect options.
All properties used by tls.createSecureContext() can be passed directly to the connect method.

Answer 4 · 2019-04-18T11:50:52.000Z

Firefox CA store does not have any influence on your systen cert store because Firefox brings its own store. Use the keychain (on macOS) or whatever your respective system uses.

Answer 5 · 2019-04-18T12:07:32.000Z

node.js uses its own certificate store (with certificates copied from the Mozilla CA Certificate Store) by default, as mentioned on the tls page:
ca: Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla.

While installing the certificate on the OS level could* solve the problem, it's also a security risk to accept all certificates from a CA you otherwise wouldn't trust. With the ca option, you only have trust the issuer where it's needed.

* I'm not sure if node.js uses both the internal cert store and the OS provided certificates