Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make certificate verification work for self-signed certificate #29

Merged
merged 4 commits into from
Oct 2, 2024
Merged

make certificate verification work for self-signed certificate #29

merged 4 commits into from
Oct 2, 2024

Conversation

william-xiang
Copy link
Collaborator

@william-xiang william-xiang commented Aug 22, 2024
edited by jonnyz32
Loading

The changes in this PR make sure it can get the correct content of certificate and trust it for secure connection.
The main change is trying to use certificate verification during TLS handshake as much as possible. There are four scenarios:

  1. Self-signed certificate, should do the verification by trusting this certificate
  2. Certificate signed by a publicly trusted CA, should do the verification using the well-known CA certificates provided by node
  3. Certificate signed by a internal private CA, should do the verification by trusting the obtained root CA certificate
  4. User has to make sure server certificate is configured correctly

jonnyz32
jonnyz32 reviewed Aug 22, 2024
View reviewed changes
Copy link
Collaborator

@jonnyz32 jonnyz32 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to add new tests for this?

src/sqlJob.ts Outdated
// So the certificate verification cannot pass, should set rejectUnauthorized to false.
let rejectUnauthorized = true;

if (db2Server.ca) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we pass in the db2server.ca into the function, shouldn't the server get verified based on if it has that certificate? I'm not sure why rejectUnauthorized is not just True here

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally it should use that specified CA certificate to verify the server's certificate. But in scenario that server does not use a self-signed certificate and is not configured properly to send the full chain certificate during the handshake, the db2server.ca is just the server certificate. Since this certificate is not a self-signed, it cannot be verified by itself. That's the reason why rejectUnauthorized needs to be false for this scenario.

@william-xiang
Copy link
Collaborator Author

Do we need to add new tests for this?

We can keep using existing test cases unless we want to use the designated machines to test the getRootCerttificate part.

@jonnyz32
Copy link
Collaborator

Do we need to add new tests for this?

We can keep using existing test cases unless we want to use the designated machines to test the getRootCerttificate part.

I don't think we have any tests that the client will not connect if the certificate is invalid

@jonnyz32 jonnyz32 linked an issue Oct 1, 2024 that may be closed by this pull request
enable server certificate verification for self-signed certificate #28
Closed
@jonnyz32 jonnyz32 merged commit 040956a into Mapepire-IBMi:main Oct 2, 2024
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonnyz32 jonnyz32 jonnyz32 approved these changes

@worksofliam worksofliam Awaiting requested review from worksofliam

@ThePrez ThePrez Awaiting requested review from ThePrez

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

enable server certificate verification for self-signed certificate
2 participants
@william-xiang @jonnyz32