Are there exaples of using other that basic auth for http-in and http-request
231 views
Skip to first unread message
mfeb
Jun 29, 2015, 9:50:31 PM6/29/15
to node...@googlegroups.com
Looking for any examples of using certs with http-in and http-request.
It looks like it can be done by altering the http node-red package, but in case it's more complicated than it appears... (almost everything is with certs).
It looks like it can be done by altering the http node-red package, but in case it's more complicated than it appears... (almost everything is with certs).
Nicholas O'Leary
Jun 30, 2015, 4:08:03 AM6/30/15
to Node-RED Mailing LIst
HI,
the only option we currently have is to use the NODE_TLS_REJECT_UNAUTHORIZED=0 environment variable to bypass the need to verify certificates.
We do need to improve this within the nodes themselves - the hard part, as ever, as exposing the right set of options in the node without making them overly complex.
If anyone has a proposal for what the minimum sensible set of options to expose is, that would be a useful starting point.
Nick
On 29 June 2015 at 18:50, mfeb <mfebl...@gmail.com> wrote:
Looking for any examples of using certs with http-in and http-request.
It looks like it can be done by altering the http node-red package, but in case it's more complicated than it appears... (almost everything is with certs).
--
http://nodered.org
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Julian Knight
Jun 30, 2015, 4:01:13 PM6/30/15
to node...@googlegroups.com
Could you outline what you would like to achieve? Is it simply to be able to use HTTPS client certificate based authentication?
mfeb
Jul 1, 2015, 1:00:43 PM7/1/15
to node...@googlegroups.com
1) CA certificate chain and (optional?) passphrase.
2) Private key with passphrase.
This minimal set of CA and private key certs might suffice. If more are needed, perhaps they could be supplied from a file. And maybe a file containing the cert chain would be preferred.
It will be important to know which formats are supported (e.g., .jks and .pem) and whether the underlying code needs them to be handled differently. If only one type is supported, that should be obvious in the dialog form and/or the documentation tab.
There would be sensitivities around saving the private key passphrase in plain text. What would be an effective way to secure these?
Also, it would be beneficial to have a means by which the cert references and/or the passcodes could be passed in as msg properties.
Julian Knight
Jul 1, 2015, 3:32:37 PM7/1/15
to node...@googlegroups.com
The place to start learning will be with Node.JS and Express. Node-Red wraps both of these and uses their capabilities. So I recommend, if you haven't already done so, creating a simple Node/Express server that does what you want so you can see the requirements and configuration. Once you have that, the next step will be to feed those settings in to Node-Red.
Can't say I've done what you are looking for even in raw Node.JS/Express, I've only ever done a simple secured web server with self-signed certs. The most complex I've ever done is an example of a Node based HTTPS proxy server. However, if you can work out the Node.JS side of things, I'm sure someone will be able to help work that into Node-Red.
Can't say I've done what you are looking for even in raw Node.JS/Express, I've only ever done a simple secured web server with self-signed certs. The most complex I've ever done is an example of a Node based HTTPS proxy server. However, if you can work out the Node.JS side of things, I'm sure someone will be able to help work that into Node-Red.
Julian Knight
Jul 1, 2015, 3:34:45 PM7/1/15
to node...@googlegroups.com
I also spotted this, might give some clues unless you are already past this stage.
mfeb
Jul 2, 2015, 1:15:27 PM7/2/15
to node...@googlegroups.com
Right. So these example are examples of using certs with a server.
We're looking to use certs as credentials for client interactions (http_request, http-in). Are you saying that we'd get insight from looking at how the server handles certs? If so, we'll dive in.
Thanks,
Mark
We're looking to use certs as credentials for client interactions (http_request, http-in). Are you saying that we'd get insight from looking at how the server handles certs? If so, we'll dive in.
Thanks,
Mark
Nicholas O'Leary
Jul 2, 2015, 1:29:35 PM7/2/15
to node...@googlegroups.com
Mark,
We already have support for setting up listening on https via the settings file. Details in the docs.
That should cover inbound requests into node-red (http-in node).
As mentioned at the start of this thread, we don't currently expose any options for outbound https requests (using the http-request node) You can use an https URL and it will attempt the request, but you cannot set any client certs or options. That is the bit we need to do more around and am open to suggestions as to what the minimal viable set of options are to be useful.
Nick
--
Mark Feblowitz
Jul 2, 2015, 9:23:50 PM7/2/15
to node...@googlegroups.com
Ok -
I think the minimum needed would be for the for the http-request node to be able to be configured in such a way that the https node’s https.request options can be populated (https://nodejs.org/api/https.html#https_https_request_options_callback).
This would include
pfx: Certificate, Private key and CA certificates to use for SSL.key: Private key to use for SSL. Defaultnull.passphrase: A string of passphrase for the private key or pfx, plaintext for now, obfuscated at the UI and hashed internally for laterca: An authority certificate or array of authority certificates to check the remote host against
And possibly:
cert: Public x509 certificate to use.
The example for key and cert shows them as coming from files.
Let me know if there’s more that you need.
Thanks,
Mark
You received this message because you are subscribed to a topic in the Google Groups "Node-RED" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/node-red/Eyc4rykP97k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to node-red+u...@googlegroups.com.
Julian Knight
Jul 3, 2015, 2:59:05 AM7/3/15
to node...@googlegroups.com
That is what I was suggesting but it looks to me as though you are well past that already :)
Julian Knight
Jul 3, 2015, 3:09:16 AM7/3/15
to node...@googlegroups.com
Not explicitly stated but of course, we would also need an option (or automatic selection) to use the https Node.JS object instead of the http object.
I think that you would also need access to the ciphers and
I think that you would also need access to the ciphers and
secureProtocol settings to cope with recent security vulnerabilities.
The rejectUnauthorized option is also needed if you want the option for verification to ignore the CA chain.Nicholas O'Leary
Jul 3, 2015, 3:19:48 AM7/3/15
to node...@googlegroups.com
Julian, as I said, if you provide an https URL we already do the right thing and use the https module under the covers. This is only about what additional config options are needed.
Nick
Matt Lyster
Sep 17, 2015, 9:33:51 PM9/17/15
to Node-RED
I recently found myself in the same predicament as Mark, regarding wanting to use the http-request node to make a call to a https service to which the authentication is based on a user certificate, rather than a server cert. When searching for a solution, I ran across this thread. Just curious if there has been any advancement toward such a capability?
Thanks,
Matt
Scott C. Lemon
Jan 7, 2018, 12:41:16 AM1/7/18
to Node-RED
I'm going to awake this thread again, hoping to find a solution for integrating with yet another IoT platform ...
The platform requires that I use a client cert to authenticate with the service endpoint.
They provide me with a password encoded cert, with I can use with curl as follows:
curl -v -k -E client.pem:jJ3fF7dD0rR2rR3wW0eE2tT -H "Content-Type: application/json" -d "{ \"propertyId\": \"1\", \"sensorId\": \"1234567890\", \"value\": [[\"25\"]] }" https://demo.platform.com/iot/11223344
In this case they generated the cert and provided it to me (either .pem or .p12) and the secret/password that goes with it.
The curl format is:
curl -v -k -E client.pem:<SECRET_KEY> -H "Content-Type: application/json" -d "<ENCODED_JSON_MESSAGE>" <REST_ENDPOINT>
I'm trying to find how I can make an HTTPS request like this from Node-RED, supplying the cert and password/secret as is being done with curl above?
Any ideas/suggestions?
I've been doing the Google searches and have run out of ideas ...
On Monday, June 29, 2015 at 7:50:31 PM UTC-6, mfeb wrote:
Looking for any examples of using certs with http-in and http-request.
It looks like it can be done by altering the http node-red package, but in case it's more complicated than it appears... (almost everything is with certs).
Scott C. Lemon
Jan 7, 2018, 1:34:43 AM1/7/18
to Node-RED
It appears that to do this in node.js there is a good example here ...
In the example, I'm not sure with the "key.pem" is ... as this platform does not provide me that. Only the client.pem and passphrase ...
Scott C. Lemon
Jan 7, 2018, 1:41:50 AM1/7/18
to Node-RED
Actually ... inside the client.pem they have me download, I found both the private key and certificate ... so I have all three.
Now the question is how to evolve the http request node to handle these parameters?
Scott C. Lemon
Jan 8, 2018, 12:04:53 PM1/8/18
to Node-RED
I've found it's really the lack of the "passphrase" that seems to be my issue.
Is it ok to open a Github issue to request that "passphrase" be added to the TLS support in the HTTP Request node?
Scott C. Lemon
Jan 8, 2018, 12:11:35 PM1/8/18
to Node-RED
I found this issue, already open in Github, and added the request to this issue ... is there anywhere else that I ought to put this request?
Reply all
Reply to author
Forward
0 new messages