Manual handling SSL Errors (eg. On self signed certificates)

[pc-magas]

Sometime during there is a use of self-signed certificates for example:

• Hosting an internal org xmpp server
• Having a development environent.

Therefore I want somehow when my node.js app using the @xmpp/client library to be able to handle these situations manually eg. via asking the user whether to accept the certificate or not or logging that the specific situation resulted on a self-signed certificate TLS connection.

So In my case I did the following small node.js dummy client:

const {client, xml, jid} = require('@xmpp/client')

const initXmpp=function(xmpp){

  xmpp.on('error', err => {
    console.error("Error occured",err.toString())
    // dialog.showErrorBox('Internal Error',err.toString())
  })

  xmpp.on('offline', () => {
    console.log('🛈', 'offline')
  })

  xmpp.on('online', async address => {
    dialog.showMessageBox({'type':'info','message':"Online as:"+address.toString()})
  })

  xmpp.on('stanza', stanza => {
    console.log('⮈', stanza.toString())
    xmpp.stop()
  })

  process.on('unhandledRejection', function (reason, p) {
    console.error('Possibly Unhandled Rejection at: Promise ', p, ' reason: ', reason)
  })

  try{
    xmpp.start()
  } catch(e) {
    console.error(e.message)
  }
}

try{
  clientInstance=new client({
    'service':"xmpp://0.0.0.0:5222",
    'domain': "example.com",
    'username':"admin",
    'password':"admin",
  });

  initXmpp(clientInstance);
} catch(e) {
  console.error(e);
}

And using docker I setup an openfire 3.10.3 xmpp server:

version: '3'
services:
  openfire:
    image: sameersbn/openfire
    ports:
      - "9090:9090"
      - "5222:5222"
      - "7777:7777"
      - "7070:7070"
      - "7443:7443"
    volumes:
      - "./volumes/openfire:/var/lib/openfire"

Even though my openfire version is an outdated one the issue is that somehow I need manually to handle TLS and error generally that happen during connection from client to the server. For now in TLS Self signed certificate case there's no way to manually handle the connection.

[tbto]

If you are use Node JS, try this

[pc-magas]

What about electron? Also I want somehow the end user to select whether to accept self-signed certificates or not. Therefore I need some sort of more manual approach (eg.via providing your own connection implementation).

[sonnyp]

There are ways to do that now but requires writing custom code.

I'm open to having such feature built-in.

There are multiple paths where TLS can be used:

• direct TLS (xmpps)
• https lookups
• WebSocket (wss)
• StartTLS

Of course this feature can only be supported on Node.js.

All of them use tls underneath so it should be fairly easy to implement that feature simply and for all.

Not sure what the best approach is but maybe for example passing TLS options and events to any TLS socket created by the xmpp instance.

@pc-magas wanna give it a try?

[bapunii]

If you are use Node JS, try this

worked for me

[NickHeathCode]

I get a SASLError: invalid-mechanism when setting process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'; in code. Any thoughts on how I can fix this?

The only error I got before getting this error was that there was a self signed certificate in the chain. Thanks in advance.

[bg1avd]

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

I get a SASLError: invalid-mechanism when setting process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'; in code. Any thoughts on how I can fix this?

The only error I got before getting this error was that there was a self signed certificate in the chain. Thanks in advance.

add below line in your code:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

[bapunii]

Please follow the below guide, thank for asking. shanalikhan/code-settings-sync#776

…

On Mon, 23 Sept 2024, 07:12 Rao Lin, ***@***.***> wrote: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; I get a SASLError: invalid-mechanism when setting process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'; in code. Any thoughts on how I can fix this? [image: image] <https://private-user-images.githubusercontent.com/102008234/274768809-f659b5c1-a6fe-4436-b090-8d449535b153.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjcwNTUxODgsIm5iZiI6MTcyNzA1NDg4OCwicGF0aCI6Ii8xMDIwMDgyMzQvMjc0NzY4ODA5LWY2NTliNWMxLWE2ZmUtNDQzNi1iMDkwLThkNDQ5NTM1YjE1My5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwOTIzJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDkyM1QwMTI4MDhaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT05OWI2YzIwNzI5MWFiOWVkNTFiNWUwZjI4ZWU4NWVmMmY3MDc0ZjMxNzM5NmY0ODE0Yzg4MzhmOTRmMThhMzQ5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.tyUC6kxA3bY4fSLNV7ie-vr5S7l3VRCm_nN7ss9U7WU> The only error I got before getting this error was that there was a self signed certificate in the chain. Thanks in advance. add below line in your code: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; — Reply to this email directly, view it on GitHub <#598 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANF7CGGESHCPZWJS6ZG6CMTZX5WYPAVCNFSM6AAAAABOVC3AAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRXGEYDAMJQGQ> . You are receiving this because you commented.Message ID: <xmppjs/xmpp. ***@***.***>