Skip to content

Instantly share code, notes, and snippets.

@anhldbk
Last active March 3, 2024 16:36
Show Gist options
  • Star 57 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save anhldbk/3ea07d006c0fd411f19c0e362d4e0ec0 to your computer and use it in GitHub Desktop.
Save anhldbk/3ea07d006c0fd411f19c0e362d4e0ec0 to your computer and use it in GitHub Desktop.
TLS client & server in NodeJS

1. Overview

This is an example of using module tls in NodeJS to create a client securely connecting to a TLS server.

It is a modified version from documentation about TLS, in which:

  • The server is a simple echo one. Clients connect to it, get the same thing back if they send anything to the server.
  • The server is a TLS-based server.
  • Clients somehow get the server's public key and use it to work securely with the server

2. Preparation

We need to generate keys & certs for the server. Pay attention to Common Name (e.g. server FQDN or YOUR name) when creating server-csr.pem. It should be your domain name.

$ mkdir tls
$ cd tls
$ openssl genrsa -out server-key.pem 4096
$ openssl req -new -key server-key.pem -out server-csr.pem
$ openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem

For example:

$ openssl req -new -key server-key.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:VN
State or Province Name (full name) [Some-State]:Hanoi
Locality Name (eg, city) []:Hanoi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Evolas Technologies
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:evolastech.com
Email Address []:hi@evolastech.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Run the demo

$ node server.js &
$ node client.js &

You may have following things printed out:

server bound
server connected unauthorized
client connected authorized
welcome!
const tls = require('tls');
const fs = require('fs');
const options = {
ca: [ fs.readFileSync('server-cert.pem') ]
};
var socket = tls.connect(8000, 'evolastech.com', options, () => {
console.log('client connected',
socket.authorized ? 'authorized' : 'unauthorized');
process.stdin.pipe(socket);
process.stdin.resume();
});
socket.setEncoding('utf8');
socket.on('data', (data) => {
console.log(data);
});
socket.on('end', () => {
console.log('Ended')
});
const tls = require('tls');
const fs = require('fs');
const options = {
key: fs.readFileSync('server-key.pem'),
cert: fs.readFileSync('server-cert.pem'),
rejectUnauthorized: true,
};
const server = tls.createServer(options, (socket) => {
console.log('server connected',
socket.authorized ? 'authorized' : 'unauthorized');
socket.write('welcome!\n');
socket.setEncoding('utf8');
socket.pipe(socket);
});
server.listen(8000, () => {
console.log('server bound');
});
@MasterJames
Copy link

This is great to have thanks.

My wishlist for the community was to also have something about using Chrome Client-Side to connect to the 12.2+ nodejs TLS websocket server to start (with possibly Elliptic-curve Diffie–Hellman ECDHE), sessionID Session Resumption and potentially more.

@heijmerikx
Copy link

Thanks for this, helped me start my PoC quicker!

@AfJalili
Copy link

AfJalili commented Jul 3, 2021

Thanks it helped

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment