Node: .getPeerCertificate() on https.request()

Created on 12 Jul 2016 · 6Comments · Source: nodejs/node

Version: v4.4.6
Platform: Linux xxx 3.16.0-76-generic #98~14.04.1-Ubuntu SMP Fri Jun 24 17:04:54 UTC 2016
Subsystem: n/a

.getPeerCertificate() does not returned fingerprint after first https.request(). It seems to be a problem with https.agent. If i set agent to false during https.request(opts) then i got correctly the fingerprint at each time.

Here is an example:

const https = require("https");

function request() {
    var options = {
        hostname: 'www.google.com',
        port: 443,
        path: "/",
        method: 'GET',
        // turning this to True makes fingerprint works again (agent's connections are closed);
        //agent: false, 
        rejectUnauthorized: false
    };

    var req = https.request(options, (res) => {
        res.fingerprint = res.connection.getPeerCertificate().fingerprint;
        var data = '';
        res.on('data', (d) => {
            data += d;
        });
        res.on('end', () => {
            console.log("got data", res.fingerprint);
            setTimeout(request, 1000);
        });

    }).on('error', (e) => {
        console.error(e);
    });
    req.end();
}

request();

doc https tls

Source

mykiimike

Most helpful comment

cc @nodejs/documentation - the documentation for getPeerCertificate() and the HTTPS agent should clarify that resumed sessions lack the peer's certificate info.

@mykiimike You're welcome to submit a PR too, of course. :-)

bnoordhuis on 12 Jul 2016

👍4

All 6 comments

Maybe other tlsSocket fields are affected.

mykiimike on 12 Jul 2016

That is an unfortunate side effect of TLS session resumption. In your example, the first connection does a full TLS handshake but subsequent connections do an abridged version based on the previously established TLS session (which persists across connections.)

It's good for performance reasons (it cuts the number of TCP round-trips in half) but it loses the TLS connection metadata.

The reason it works as you expect it to with { agent: false } is that it creates a new session for every connection.

bnoordhuis on 12 Jul 2016

Thanks,

It depends the way you want to provide the application's subsystem. It doesn't really matter to me but the question is: is it a normal behaviour for a normal guy I would say :)
Actually the agent is something transparent (almost opaque) for the famous normal guy, no?

Cheers
Michael

mykiimike on 12 Jul 2016

cc @nodejs/documentation - the documentation for getPeerCertificate() and the HTTPS agent should clarify that resumed sessions lack the peer's certificate info.

@mykiimike You're welcome to submit a PR too, of course. :-)

bnoordhuis on 12 Jul 2016

👍4

I will try to find some free time to do it :+1:

mykiimike on 12 Jul 2016

👍2

A PR would be welcome.

This issue has been inactive for sufficiently long that it seems like perhaps it should be closed. Feel free to re-open (or leave a comment requesting that it be re-opened) if you disagree. I'm just tidying up and not acting on a super-strong opinion or anything like that.