Locally resolved domains ssl - rejectUnauthorized: true Rejecting the domain

[Devan S]

In my /etc/hosts I have the following,

127.0.0.1 db.example.com

I configured cassandra to ssl and i can connect to it via cqlsh --ssl.

If I try to connect via nodejs driver it throws the following error. Even though i passed db.example.com it throws this error, ignoring the domain name i passed resolving always to 127.0.0.1. 

"All host(s) tried for query failed. First host tried, 127.0.0.1:9042: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate\'s altnames: IP: 127.0.0.1 is not in the cert\'s list: . See innerErrors:

var fs = require('fs');
var sslOptions = {
    key : fs.readFileSync('node.key'),
    cert : fs.readFileSync('node.cert')
    ca : [fs.readFileSync('clusterCA.pem')],
 rejectUnauthorized: true
};


var authProvider = new cassandra.auth.PlainTextAuthProvider('cassandra', 'cassandra');
var client = new cassandra.Client({
  contactPoints: ['db.example.com'],
  authProvider: authProvider,
  sslOptions : sslOptions
});

[Rubatharisan Thirumathyam]

What you are trying to do will not work, if the certificate is designated to a specific domain, then you would need to use that specific domain name (or alt name) to connect.

As far as i know, the hack you're trying to do with the host file is not doable.

--
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs-driver-u...@lists.datastax.com.

[Rubatharisan Thirumathyam]

Uhm... The reply-to wasent Devan lol.

Adding Devan to the mail thread.

[Jorge Bay Gondra]

(When replying to the list Devan will also get the reply).

Hi,

Rubatharisan is correct. The driver will resolve the address from the name of the contact point, so the host name to match is the IP address.

If you want custom validation of the certificate (i.e., allowing 127.0.0.1 host names), you can add a custom validation function:

sslOptions = {
  key : fs.readFileSync('node.key'),
  cert : fs.readFileSync('node.cert')
  ca : [fs.readFileSync('clusterCA.pem')],

  rejectUnauthorized: true,

  checkServerIdentity: myCustomCheckServerIdentityFn
};

https://nodejs.org/api/tls.html

checkServerIdentity(servername, cert) <Function> A callback function to be used (instead of the builtin tls.checkServerIdentity() function) when checking the server's hostname (or the provided servername when explicitly set) against the certificate. This should return an <Error> if verification fails. The method should return undefined if the servername and cert are verified.

Also, if you want to bypass client-side server validation, you can use rejectUnauthorized: false.

https://nodejs.org/api/tls.html#tls_tls_connect_options_callback

rejectUnauthorized <boolean> If not false, the server certificate is verified against the list of supplied CAs. An 'error' event is emitted if verification fails; err.code contains the OpenSSL error code. Default: true.

Thanks,

Jorge

[Devan]

Indeed I received this email, Suggestion you mentioned to checkServerIdentity with a custom function that returns undefined works.

But this happens in production as well. I have a let'encrypt wildcard certificate - *.example.com. All i receive is my server ip(host) and *.example.com(cert) in the cert.subject.CN parameters of checkServerIdentity, Server's ip is never gonna in my ssl certificate. I'm bit confused how it supposed to match. I see you're using the nodejs tls under the hood to connect, is here is thoughts you can share ?
 

sslOptions = {
  key : fs.readFileSync('node.key'),
  cert : fs.readFileSync('node.cert')
  ca : [fs.readFileSync('clusterCA.pem')],
  rejectUnauthorized: true,

  checkServerIdentity: (host, cert) => {
      const error = tls.checkServerIdentity(host, cert);
      console.log(host, cert.subject.CN); // server ip, *.example.com this both is never gonna match

               
 };

To unsubscribe from this group and stop receiving emails from it, send an email to nodejs-driver-user+unsub...@lists.datastax.com.

--
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs-driver-user+unsub...@lists.datastax.com.