5 comments

[ 2.2 ms ] story [ 27.4 ms ] thread
Please let me know if you have any questions
Good article! I had not considered requiring clients to have certificates, but it seems that would be a prerequisite to having a private HTTPs/SSL enabled server.

I read this and did not understand:

When you use the rogue certificate and rejectUnauthorized == false, you should see a TLS error being printed on the console, remeber to set rejectUnauthorized == true, to protect the web server.

Are you talking about if(!cleartextStream.authorized) part?

Hey Yebyen.

Yes that is exactly what I meant. If the rejectUnauthorized flag is set, the connection will be dropped before the event 'secureConnection' is emitted, so you will never be able to pick it up if you want to for testing. But in production it is important to enable it, to make sure that connections are dropped.

And thank you :)
Sure! I would imagine the unsecured part would be useful for distributing certs to new users or allowing them to sign up and request a certificate, in the first place.

I have been missing a way that OpenVPN certs, configs, and instructions could be distributed to users without obscuring their general usefulness as SSL certs. Thanks!