Node doesn't respond to SSL client hello

[plexel]

(for more direct info about the SSL client hello see the second comment below)

I posted this bug https://bugzilla.mozilla.org/show_bug.cgi?id=678105 on mozilla after problems with Firefox and node.exe. Not sure if it might be a node problem though.

The server code and instructions are listed in the bug report.

Basically, after setting up a node https server on XP localhost, and installing server key and certificate, and a client certificate in Firefox, on a second request to https://localhost I received a 'connection was reset' error in the browser rather than the server returning a page as it should.

This makes it hard to use client certificate authentication with the Firefox (FF5) browser. No problems were experienced with IE8 nor Opera 11.5, but Chrome 12 hangs after the first request, and that makes me wonder if it is a node problem since two browsers are failing.

The key line in the server.js code is 'requestCert: true' in the following:-

var options = {
key: fs.readFileSync('serverKey.pem'),
cert: fs.readFileSync('serverCert.pem'),
requestCert: true
};

If the line is removed then there are no problems with any browser tested. 'reset' or chrome hanging errors only occur if a certificate is requested.

In Firefox the problem is related to the network.http.keep-alive and network.http.keep-alive.timeout preference settings. Why that should have anything to do with a client certificate request is a mystery, unless maybe node is doing something with keep-alive when the client cert is requested?

As for Chrome hanging I have no idea, but these 'reset' errors make the use of client cert authentication unusable at least on XP localhost. Not sure about an online server though, neither if the errors would occur with apache server for example.

[plexel]

Using the wireshark network protocol analyser and another PC on my LAN I was able to get some more details of what's happening.

The problem seems to be with the client and server hello handshaking.

Wireshark lists various types of protocol for client hello, e.g.

SSL client hello
SSLv2 client hello
TLSv1.0 client hello

For the first request (step 8) FF5 browser uses a TLSv1.0 client hello to which the nodejs server responds ok with a server hello. Everything fine and the browser page displays as it should.

If the nodejs server asked for a client certificate in the first request (requestCert: true) then FF5 uses an SSL client hello in the second request. If no client certificate was asked for then FF5 uses a TLSv1.0 client hello and all is ok.

The nodejs server does not respond with a server hello to a SSL client hello (why not?) even though FF5 sends repeated ones until finally issuing "The connection was reset" error.

IE8 also issues an SSL client hello, but shortly after issues a SSLv2 client hello when the server did not respond to the SSL one. The nodejs server responds to the SSLv2 client hello with a server hello and all is well. This explains why IE8 (and presumably Opera) work ok on the second request.

Chrome issues two SSL client hellos and then gives up when the server does not respond with a server hello.

So it seems the IE8 behaviour is quite sensible and FF5 could be updated to mirror that.

However, the main problem may be the nodejs server for not responding to SSL client hellos. I have no idea why.

(I am no expert on SSL hanshaking and am just reporting what I saw in wireshark)

[plexel]

This issue has now been identified as a node crypto problem and there is a workaround by koichik listed at:-

#1516

The workaround is awaiting approval for inclusion in node proper.

Therefore I am closing this issue.