CODEWITHSUNDEEP
node.jsaxiosproxymtls
Lumpy1201
Lumpy1201

Reputation: 31

NodeJS - mtls connection through proxy

i have a problem doing a POST Request (Rest) to a server using mtls through a proxy-server (Typescript / Nodejs 14).

I already tried a lot with global-agent, tunnel, https-proxy-agent, ... but i'm only able to pass the proxy, but then i get different kind of ssl errors ("sslv3 alert handshake" or "unable to get local issuer"). With CURL (from my local environment; without proxy) i can connect, so certificate, key and truststore shouldnt be the problem.

curl --request POST https://open.supertest.com/api --key key.pem --cert cert.pem --cacert certchain.pem -v

The code will be executed via a Lambda-Function. By the way it must not be axios and tunnel.

Does someone maybe has a reference implementation in place somehow or an Idea what i might did wrong?

The following code raises the "unable to get local issuer" error:

import * as tunnel from 'tunnel';
import axios from 'axios';

const httpsAgent = tunnel.httpsOverHttp({
  proxy: {
    host: 'proxy.test.com',
    port: 8080,
    proxyAuth: 'johndoe:fancypassword',
  },
  ca: [Buffer.from( ###see below### , 'utf-8')],
  key: Buffer.from( ###see below### , 'utf-8'),
  cert: Buffer.from( ###see below### , 'utf-8'),
});

const client = axios.create({
  baseUrl: 'https://open.supertest.com/api',
  httpsAgent,
  proxy: false // don't use axios own proxy implementation as it will not handle the corporate proxy correctly
});

const response = await client.post(endpointDetails.path, {
  data: {
    message: 'test',
  },
});

The "ca" (certchain/truststore) content-string looks something like ... -----BEGIN CERTIFICATE----- content -----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
content
-----END CERTIFICATE-----

and "cert" (client-certificate) content-string looks something like ...

-----BEGIN CERTIFICATE-----
content
-----END CERTIFICATE----

and "key" (client-privatekey) content-string looks something like ...

-----BEGIN PRIVATE KEY-----
content
-----END PRIVATE KEY-----

Upvotes: 1

Views: 1267

Answers (1)

Lumpy1201
Lumpy1201

Reputation: 31

Found the issue. It was related to the certchain/truststore. There was one root ca missing which is preinstalled in the operating system where i ran the CURL, but of course not in the Lambda. So my solution was to just add the missing root ca and it worked fine.

Upvotes: 0

Related Questions