Good article! I had not considered requiring clients to have certificates, but it seems that would be a prerequisite to having a private HTTPs/SSL enabled server.
I read this and did not understand:
When you use the rogue certificate and rejectUnauthorized == false, you should see a TLS error being printed on the console, remeber to set rejectUnauthorized == true, to protect the web server.
Are you talking about if(!cleartextStream.authorized) part?
Yes that is exactly what I meant. If the rejectUnauthorized flag is set, the connection will be dropped before the event 'secureConnection' is emitted, so you will never be able to pick it up if you want to for testing. But in production it is important to enable it, to make sure that connections are dropped.
Sure! I would imagine the unsecured part would be useful for distributing certs to new users or allowing them to sign up and request a certificate, in the first place.
I have been missing a way that OpenVPN certs, configs, and instructions could be distributed to users without obscuring their general usefulness as SSL certs. Thanks!
5 comments
[ 2.2 ms ] story [ 27.4 ms ] threadI read this and did not understand:
When you use the rogue certificate and rejectUnauthorized == false, you should see a TLS error being printed on the console, remeber to set rejectUnauthorized == true, to protect the web server.
Are you talking about if(!cleartextStream.authorized) part?
Yes that is exactly what I meant. If the rejectUnauthorized flag is set, the connection will be dropped before the event 'secureConnection' is emitted, so you will never be able to pick it up if you want to for testing. But in production it is important to enable it, to make sure that connections are dropped.
I have been missing a way that OpenVPN certs, configs, and instructions could be distributed to users without obscuring their general usefulness as SSL certs. Thanks!