9

The issue

I wrote a minimal server that requires a client certificate, but it always rejects connections with the following authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT. I put the steps I followed below, and they are quite simple, so you should be able to reproduce this in minutes, should you want to "try this at home". This is with Node.js 0.10.24. Am I doing something wrong?

What I did

First, I generated self-signed client and server certs as follows (instructions from the Client Side Certificate Auth in Nginx post), this is an ssl subdirectory.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Then, I run the following program with Node.js (i.e. put it in server.js and run node server.js).

var https = require('https');
var fs = require('fs');

var options = {
    key: fs.readFileSync('ssl/server.key'),
    cert: fs.readFileSync('ssl/server.crt'),
    ca: fs.readFileSync('ssl/ca.crt'),
    requestCert: true,
    rejectUnauthorized: false
};

https.createServer(options, function (req, res) {
    if (req.client.authorized) {
        res.writeHead(200, {"Content-Type":"application/json"});
        res.end('{"status":"approved"}');
        console.log("Approved Client ", req.client.socket.remoteAddress);
    } else {
        res.writeHead(401, {"Content-Type":"application/json"});
        res.end('{"status":"denied"}');
        console.log('authorizationError:', req.client.authorizationError);
        console.log("Denied Client " , req.client.socket.remoteAddress);
    }
}).listen(5678);

Finally, I try to connect with curl:

curl -v -s -k --key ssl/client.key --cert ssl/client.crt https://localhost:5678

This is where it fails with an authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT. I've read folks are having more luck setting process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; rather than using rejectUnauthorized: false, but that doesn't seem to make a difference in my case.

avernet
  • 30,895
  • 44
  • 126
  • 163
  • `rejectUnauthorized: false` is probably a bad idea. Can you post the output of `openssl s_client -connect localhost:5678`? – jww Aug 03 '14 at 12:33
  • Possible duplicate of [Client certificate validation on server side, DEPTH\_ZERO\_SELF\_SIGNED\_CERT error](http://stackoverflow.com/questions/23601989/client-certificate-validation-on-server-side-depth-zero-self-signed-cert-error) –  Aug 12 '16 at 12:44

0 Answers0