Self signed SSL does not work after upgrading from iojs to nodejs v4.4.4

Question

I was using iojs and koa in my application and recently I decided to update iojs to nodejs v4.4.4. The update was very smooth and my application was running in no time. The problem is that I am using a self signed SSL certificate on my development machine, and after I updated to nodejs I receive the following message when I try to access the website:

This site can’t provide a secure connection

localhost uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.

I am using nvm so I tried switching to iojs and the website was working again.

After some reading I found out that I have to update the openssl to version 1.0.2g instead of the 1.0.1g that I used to create the .key and .crt files. So I updated openssl and generated new key and certificate files like this:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Sadly this did not resolve the issue.

This is the code that I use to setup the https on the server:

let sslOptions = {
            key: fs.readFileSync('/etc/apache2/ssl/apache.key'),
            cert: fs.readFileSync('/etc/apache2/ssl/apache.crt')
                 };

let server = require('https').createServer(sslOptions, app.callback())

Am I doing something wrong? Why does it work with iojs and does not work with nodejs?

Answer 1

Thank you for the answers!

As I suspected, the problem were with something unrelated to openssl.

In my application I have a config.js file with the app configuration. Inside of it I am reading the certificate files and adding them to a javascript object.

The problem was, that I am using the lodash module to merge 2 javascript objects (one of which contained the certificate files).

I was using an older version of the lodash module and it appears that it used a Buffer to merge the files. The Buffer implementation in that version did not match the Buffer implementation in the new Node.js version. This led to incorrect merge of the certificate files and resulted in the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message.

Long story short, after updating the lodash module to the latest version, the certificate began to work as intended.

Answer 2

There will be a truststore (keystore) file, where all trusted certificates need to be registered. You will have to register this newly created certificate there. Client uses that truststore file to check whether a certificate can be trusted or not.

For more details you can take reference from below link :-

Creating Self Signed Certificates (openssl & keytool)

I hope it helps.

Answer 3

Judging by the error message there is nothing wrong with the self signed certificate. But the 'server' offering the ssl connection doesn't support a suitable combination of protocol version an cipher suite.

openssl s_client -connect localhost:443

or more verbose

openssl s_client -connect localhost:443 -debug

might tell you what's going wrong during the ssl handshake.

You can also find out what combinations are provided with a tool called sslscan

apt-get install sslscan
sslscan localhost:443
sslscan localhost:443 | grep Accepted

In the end you'll want to configure the ciphersuites your https server offers by providing more ssloptions.

See here https://certsimple.com/blog/a-plus-node-js-ssl

Answer 4

I'm not a NodeJS expert. But seems like you need to disable RC4 on your node server. I think that's the issue.