Express: Using tls instead of http server causes express to crash

Created on 3 Feb 2015 · 13Comments · Source: expressjs/express

When I use the express generator and use a tls server instead of http server, the app crashes upon a request.

I'm using express 4.11.1 and node.js 0.10.36.

Fishrock123 on the IRC channel suggested that req.url might be empty for tls requests.

$ DEBUG= ./bin/www

/home/user/homecontrol/node_modules/express/lib/router/index.js:130
  var search = 1 + req.url.indexOf('?');
                           ^
TypeError: Cannot call method 'indexOf' of undefined
    at Function.proto.handle (/home/user/homecontrol/node_modules/express/lib/router/index.js:130:28)
    at EventEmitter.app.handle (/home/user/homecontrol/node_modules/express/lib/application.js:141:10)
    at Server.app (/home/user/homecontrol/node_modules/express/lib/express.js:28:9)
    at Server.emit (events.js:98:17)
    at SecurePair.<anonymous> (tls.js:1201:18)
    at SecurePair.g (events.js:180:16)
    at SecurePair.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:980:10)
    at CleartextStream.read [as _read] (tls.js:472:13)
    at CleartextStream.Readable.read (_stream_readable.js:341:10)

The following code is used to use tls instead of http.

/**
 * Create TLS server with security.
 */
var securityOptions = {

    // Specify the key file for the server
    key: fs.readFileSync('cert/server.key'),
    passphrase: 'somepassphrase',

    // Specify the certificate file
    cert: fs.readFileSync('cert/server.crt'),

    // Specify the Certificate Authority certificate
    ca: fs.readFileSync('cert/ca.crt'),

    // This is where the magic happens in Node.  All previous
    // steps simply setup SSL (except the CA).  By requesting
    // the client provide a certificate, we are essentially
    // authenticating the user.
    requestCert: true,

    // If specified as "true", no unauthenticated traffic
    // will make it to the route specified.
    rejectUnauthorized: false
};


var server = tls.createServer(securityOptions, app);
//var server = http.createServer(app);

question

Source

hansmbakker

Most helpful comment

Gotcha. So in node.js core, http is to net as https is to tls, basically. http/https does the http protocol and net/tls is just the TCP sockets.

dougwilson on 3 Feb 2015

👍2

All 13 comments

To troubleshoot, can you confirm that you get that error and the _only modification to the generated app_ what that single change?

dougwilson on 3 Feb 2015

Thank you for your quick response. Yes, this is the only modification.

I did

express tlsTest
cd tlsTest/
npm install
DEBUG=tlsTest:* ./bin/www

This goes well with an unmodified generated app.

When modify bin/www with the mentioned modifications it goes wrong.

I add

var tls = require('tls');
var fs = require('fs');

at the top and replace the http server line with

/**
 * Create TLS server with security.
 */
var securityOptions = {

    // Specify the key file for the server
    key: fs.readFileSync('cert/server.key'),
    passphrase: 'somepassphrase',

    // Specify the certificate file
    cert: fs.readFileSync('cert/server.crt'),

    // Specify the Certificate Authority certificate
    ca: fs.readFileSync('cert/ca.crt'),

    // This is where the magic happens in Node.  All previous
    // steps simply setup SSL (except the CA).  By requesting
    // the client provide a certificate, we are essentially
    // authenticating the user.
    requestCert: true,

    // If specified as "true", no unauthenticated traffic
    // will make it to the route specified.
    rejectUnauthorized: false
};


var server = tls.createServer(securityOptions, app);
//var server = http.createServer(app);

I get the error upon making a https request to the server (e.g. https://127.0.0.1:3000/users)

hansmbakker on 3 Feb 2015

Thanks :) Before I get to a computer, would you be able to try it on like 0.10.31, just to rule out some kind of node.js regression?

I would also try with requestCert: false just to see if that makes a difference as well.

dougwilson on 3 Feb 2015

Is the only way for that "uninstalling node and reinstalling an old version"?

requestCert: false does not make any difference.

hansmbakker on 3 Feb 2015

What OS are you using?

dougwilson on 3 Feb 2015

OSX 10.10.2 (Yosemite)

hansmbakker on 3 Feb 2015

K. I don't know much about that. I believe a lot of people switch using "nvm" program. If you cannot figure it out, I'll eventually get to a computer to try it out.

dougwilson on 3 Feb 2015

nvm and n are both good node version managers, installable from npm.

Fishrock123 on 3 Feb 2015

Same crash on 0.10.31.

I did $ DEBUG=homecontrol:* /usr/local/n/versions/0.10.31/bin/node ./bin/www
I added console.log(process.versions); in bin/www

its output:
{ http_parser: '1.0', node: '0.10.31', v8: '3.14.5.9', ares: '1.9.0-DEV', uv: '0.10.28', zlib: '1.2.3', modules: '11', openssl: '1.0.1i' }

hansmbakker on 3 Feb 2015

Can you replace your app variable with the following?

var app = function(req, res){console.dir(req)}

and see what node.js is handing to express?

dougwilson on 3 Feb 2015

Nevermind. You need to use https lib, not tls; tls is raw TCP sockets, not HTTPS.

dougwilson on 3 Feb 2015

aaaah, I thought that https was outdated and replaced by tls :$ my bad.

Thanks for investigating and for your quick support!

hansmbakker on 3 Feb 2015

Gotcha. So in node.js core, http is to net as https is to tls, basically. http/https does the http protocol and net/tls is just the TCP sockets.

dougwilson on 3 Feb 2015

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

express.Router()

cuni0716 · 3Comments

Express is using sync APIs, node --trace-sync-io complains

afanasy · 3Comments

new tag for 5.0 alpha?

zackarychapple · 3Comments

CORS issues despite adding options to allow headers

ER-GAIBI · 3Comments

vulnerability detected in express 4.17.1

prashantLio · 3Comments