TLS what exactly does 'rejectUnauthorized' mean for me?
Solution 1:
As described in the documentation:
-
rejectUnauthorized
: Iftrue
, the server certificate is verified against the list of supplied CAs. Anerror
event is emitted if verification fails;err.code
contains the OpenSSL error code. Default:true
.
Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.
By setting rejectUnauthorized: false
, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.
A better solution for self-signed certificates is to set the appropriate ca
value to your custom CA when connecting client-side. Also, make sure your host
value matches that of the Common Name of the server's self-signed certificate. For example:
var socket = tls.connect({
host: 'MyTLSServer',
port: 1337,
ca: [ fs.readFileSync('CA.pem') ],
}, function() {
// Connected!
});
// ...
No matter if you use rejectUnauthorized: false
or set ca
, the connection is encrypted.