Unable to bypass reject authorization when requesting cert as part of tlsDuplex (initiator)

[Ramad96]

@TimelordUK
Trying to setup a fix connection as a initiator with a third party and they are returning an error on the cert I am providing (self signed).

I have tried to use the rejectUnauthorized flag to bypass this and still connect but the option is not considered when set in the tls connection options - is this expected behaviour or a fix to be made?

Current code:

const connectionOptions: ConnectionOptions | null = tcp ? TlsOptionsFactory.getTlsConnectionOptions(tcp) : null
      if (connectionOptions) {
        try {
          tlsSocket = tlsConnect(connectionOptions, () => {
            if (!tlsSocket) return null
            this.logger.info(`client connected ${tlsSocket.authorized ? 'authorized' : 'unauthorized'}`)
            if (!tlsSocket.authorized) {
              const error = tlsSocket.authorizationError
              this.logger.warning(`rejecting from state ${this.state} authorizationError ${error}`)
              tlsSocket.end()
              reject(error)
            } else {

Code that I would expect to allow for bypassing the self signed cert error

const connectionOptions: ConnectionOptions | null = tcp ? TlsOptionsFactory.getTlsConnectionOptions(tcp) : null
      if (connectionOptions) {
        try {
          tlsSocket = tlsConnect(connectionOptions, () => {
            if (!tlsSocket) return null
            this.logger.info(`client connected ${tlsSocket.authorized ? 'authorized' : 'unauthorized'}`)
            if (!tlsSocket.authorized && connectionOptions.rejectUnauthorized !== false) {
              const error = tlsSocket.authorizationError
              this.logger.warning(`rejecting from state ${this.state} authorizationError ${error}`)
              tlsSocket.end()
              reject(error)
            } else {

If there is any way to bypass the reject authorization then please do point me in the right direction.
Thank you

[TimelordUK]

is it possible to make the proposed change, test it and raise a PR for it?

[TimelordUK]

does this work - i think soneone previously added this into the getTlsConnectionOptions

    if (tls.nodeTlsConnectionOptions) {
        connectionOptions = {
          ...connectionOptions,
          ...tls.nodeTlsConnectionOptions
        }
      }

so in your config something like - i have not tested this, just looking at code,

 "tls": {
        "timeout": 10000,
        "sessionTimeout": 10000,
        "enableTrace": true,
        "key": "data/session/certs/client/client.key",
        "cert": "data/session/certs/client/client.crt",
        "ca": [
          "data/session/certs/ca/ca.crt"
        ],
        "nodeTlsConnectionOptions": {
             "rejectUnauthorized": "false"
        }
      }

[Ramad96]

Thanks for the reply, the above code does exist already in the getTlsConnectionOptions but does not work - still gets caught in the original posts' code.

I have also tried to use the rejectUnauthorized under nodeTlsConnectionOptions as well as in TlsOptions (as ConnectionOptions and ITlsOptions both include that option, although only the use of it in ConnectionOptions will be picked up as part of getTlsConnectionOptions code)

As for the config I'm using for this, please see below:

tls: {
						ca: ['path/to/ca.pem'],
						nodeTlsConnectionOptions: { minVersion: 'TLSv1.2', requestCert: true, rejectUnauthorized: false }
					},

[Ramad96]

is it possible to make the proposed change, test it and raise a PR for it?

Happy to do this, will ping PR once ready - thanks :)

[TimelordUK]

it may be worth if you continue to have issues, to write a powershell script which replicates the ssl connection - you should then be able to print out the algo suite negotiated etc, i.e. prove that you can connect to the remote peer.