TLS what exactly does 'rejectUnauthorized' mean for me?

ssl node.js

Solution 1:

As described in the documentation:

  • rejectUnauthorized: If true, the server certificate is verified against the list of supplied CAs. An error event is emitted if verification fails; err.code contains the OpenSSL error code. Default: true.

Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.

By setting rejectUnauthorized: false, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.

A better solution for self-signed certificates is to set the appropriate ca value to your custom CA when connecting client-side. Also, make sure your host value matches that of the Common Name of the server's self-signed certificate. For example:

var socket = tls.connect({
  host: 'MyTLSServer',
  port: 1337,
  ca: [ fs.readFileSync('CA.pem') ],
}, function() {
  // Connected!
});

// ...

No matter if you use rejectUnauthorized: false or set ca, the connection is encrypted.

Related

What does a Kotlin function signature with T.() mean?
Import statement works on PyCharm but not from terminal
How do I update all NuGet packages at once with the dotnet CLI?
Does Numpy automatically detect and use GPU?
How to use host network for docker compose?
How do you construct a LINQ to Entities query to load child objects directly, instead of calling a Reference property or Load()
Differentiate - *legitimated* vs *legitimized*
What does "sport" mean in this sentence?
How to Use Singular/Plural in this Respectively statement? [closed]
When should I use "is" and when "are"?
Catching up a lag
verbs ending in -en