Closed
Description
If I give key, cert and ca via options field to https.createServer the whole key chain is returned on connection (correct behaviour). If I try to do the same via SNICallback it is not possible to set whole key chain.
Example code:
var https = require("https");
var fs = require("fs");
var tls = require("tls");
var o = {
key: fs.readFileSync("example.com.key"),
cert: fs.readFileSync("example.com.crt"),
ca: fs.readFileSync("intermediate.crt")
};
var context = tls.createSecureContext(o);
var options = {
SNICallback: function(servername, cb) {
return cb(null, context);
},
ca: o.ca
};
https.createServer(options, function(req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8000);
Now try to connect via openssl:
openssl s_client -servername example.com -connect localhost:8000
Expected and real behaviour is Verify return code: 0 (OK).
If I remove the ca in options map like this
var options = {
SNICallback: function(servername, cb) {
return cb(null, context);
}
};
and rerun openssl client the return code is Verify return code: 21 (unable to verify the first certificate)which indicates that not the whole key chain is returned.
The expected behaviour is Verify return code: 0 (OK) as the ca field is given to tls.createSecureContext.
This occures in io.js 3.x and Node.js 4.0.0.