1

I have created a TLS server and an appropriate TLS client in Node.js. Obviously they both work with each other, but I would like to verify it.

Basically, I think of something such as inspecting the connection, or manually connecting to the server and inspecting what it sends, or something like that ...

The relevant code of the server is:

var tlsOptions = {
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('server.pem')
};

tls.createServer(tlsOptions, function (tlsConnection) {
  var d = dnode({
    // [...]
  });
  tlsConnection.pipe(d).pipe(tlsConnection);
}).listen(3000);

The appropriate client code is:

var d = dnode();
d.on('remote', function (remote) {
    // [...]
});

var tlsConnection = tls.connect({
    host: '192.168.178.31',
    port: 3000
});
tlsConnection.pipe(d).pipe(tlsConnection);

How could I do that?

Golo Roden
  • 140,679
  • 96
  • 298
  • 425

2 Answers2

3

Wireshark will tell you if the data is TLS encrypted, but it will not tell you if the connection is actually secure against Man-in-the-Middle attacks. For this, you need to test if your client refuses to connect to a server that provides a certificate not signed by a trusted CA, a certificate only valid for a different host name, a certificate not valid anymore, a revoked certificate, ...

If your server.pem is not a certificate from a real/trusted CA, and your client doesn't refuse to connect to the server (and you didn't explicitly provide server.pem to the client), then your client is very probably insecure. Given that you are connecting to an IP, not a host name, no trusted CA should have issued a certificate for it, so I assume you use a selfsigned one and are vulnerable. You probably need to specify rejectUnauthorized when connect()ing. (Rant: As this is a pretty common mistake, I think it is extremely irresponsible to make no verification the default.)

Jan Schejbal
  • 4,000
  • 19
  • 40
  • Thanks for your great explanation! Funny (and good) thing is: For the things you describe that should be tested, actually there are unit tests :-)! For the second thing about the self-signed certificate: Right now it's a self-signed one, as the code is still under heave development, but it will change to an official one once I proceeded a little further. Anyway: Thanks a lot for your help, this post was great :-)! – Golo Roden Dec 31 '12 at 16:22
  • 1
    Note that self-signed certificates aren't bad in all cases. If you will run one central server and clients (written by you) will fetch e.g. software updates from there, I'd say running your own CA and accepting only certs from that CA would even be preferred, as it prevents broken CAs from endangering the security of your application. You should just make sure that only *your* self-signed/self-issued certificates are accepted - if your software works with selfsigned certs although you didn't explicitly specify the cert in the client, it's an indication that it will accept any cert. – Jan Schejbal Jan 01 '13 at 02:53
0

Basically, I think of something such as inspecting the connection, or manually connecting to the server and inspecting what it sends, or something like that ...

You can use tools such as Wireshark to see the data they are transmitting.

Jiří Pospíšil
  • 14,296
  • 2
  • 41
  • 52
  • How do I *recognize* if it's actually TLS encrypted? – Golo Roden Dec 29 '12 at 20:16
  • 1
    @GoloRoden Wireshark will show messages like TLS ClientHello, ServerHello, ChangeCipherSpec etc. – user207421 Dec 30 '12 at 01:22
  • Okay, I am going to give it a try ... :-) – Golo Roden Dec 30 '12 at 05:47
  • I tried this ... but I do not see the mentioned messages. I do not see the expected clear text as well, but apparently I am doing something wrong :-( – Golo Roden Jan 02 '13 at 12:20
  • Tried again. If I disable TLS, I can see the clear text, and if I enable it again, I do not see it any more. Hence it *seems* as if the connection was encrypted, but I don't get Wireshark to show things such as `ServerHello` & co. ... well, however ;-) – Golo Roden Jan 02 '13 at 18:03