CODEWITHSUNDEEP
httpspasswordsnode.js
Rob
Rob

Reputation: 19

https ssl password in node js 0.4

node 0.2.6 way:

var credentials = crypto.createCredentials({ "key": SSLKey, "cert": SSLCert, "ca": Ca, "password": SSLKeyPass })
var client = http.createClient(apiPort, host, true, credentials)


    node 0.4 way:
    var options = {
        host: apiHost,
        port: apiPort,
        method: 'GET',
        path: uri,
        headers: {host: host},
        key:SSLKey,
        cert:SSLCert,
        ca:Ca,
        password:SSLKeyPass
    }

    var request = https.request(options, function (response) {

As you can see there is a password needed, I don't know where the password is supposed to go in node 0.4.

Where does SSLKeyPass go on node 0.4?

Upvotes: 1

Views: 3418

Answers (2)

matehat
matehat

Reputation: 5374

For the record, you can provide a passphrase when creating a Credentials object in Node.js. This section of Node.js documentation on the crypto module states that the passphrase option can be provided, for either the private key or PFX file. You do not have to keep your private key in clear text on disk somewhere for Node.

Upvotes: 1

Peter Lyons
Peter Lyons

Reputation: 145994

So even in the node 0.2.6 source code, the crypto.js module is not looking for a password property in the object you pass to createCredentials. Here's the createCredentials source from node 0.2.6. In version 0.4.8 there is still no mention of the word password in the crypto.js module. Did your 0.2.6 code really work?

As a general comment, use openssl to decrypt your private key, keep that secured on disk, and have your node code read that file. This seems to be the most commonly used option. The other options being A) have to manually type the passphrase to decrypt your private key whenever you launch your node server (pretty much nobody does this) or B) keep your cleartext passphrase on disk, which is not any different that just keeping the cleartext private key on disk, so AFAIK this is also a very uncommon solution to the problem of private key security.

You can decrypt your private key with the openssl command line like this:

openssl rsa -in your_encrypted_private.ekey -out your_private.key

openssl will prompt your for the passphrase interactively.

Upvotes: 3

Related Questions