Client certificate validation on server side, DEPTH_ZERO_SELF_SIGNED_CERT error

Question

I\'m using node 0.10.26 and trying to establish https connection with client validation.

Server\'s code:

var https = require(\'https\');
var fs = req         


        

Answer 1

As mentioned above, there is a sledgehammer to hammer in your nail, using rejectUnauthorized: false.

A more sensible option, from a security point of view, would be to ask the user if (s)he would like to accept and store the self-signed server certificate, just like a browser (or SSH) does.

That would require:

(1) That NodeJS throws an exception that contains the server certificate, and

(2) that the application calls https.request with the stored certificate in the ca: property (see above for description of ca) after the certificate has been manually accepted.

It seems that NodeJS does not do (1), making (2) impossible?

Even better from a security point of view would be to use EFF's SSL observatory to make a crowd-sourced judgement on the validity of a self-signed certificate. Again, that requires NodeJS to do (1).

I think a developer needs to improve NodeJS with respect to (1)...