I need to create a DDP connection between Meteor nodes. The nodes acting as ‘servers’ are behind Nginx proxies. I have a self-singed certificate chain. For each server I have created and installed a certificate chain. On the ‘client’ Meteor node I have installed the root certificate of this chain. This works fine, and the Meteor client accepts the certificate of the server when connecting like:
var cnx = DDP.connect(‘https://10.0.0.2/’);
For one of the servers, I have revoked the certificate. I have created a CRL-chain. When I run commands on the client node such as ‘wget’ or ‘curl’, I’m able to use this CRL-chain. I have to explicitly give the location of the CRL file in both cases. It states that the certificate has been revoked from one of the servers, while it still accepts the certificate from the other server. So the certificate and CRL-chain seems to work OK in this case. (I have tried to install the CRL-chain on the client node, but it seems like ‘wget’ and ‘curl’ are not able to pick it up.)
From what I have read about CRL support and using ‘strace’ when running ‘wget’, ‘curl’ and ‘meteor’, it seems CRL support varies from application to application. The level of CRL support and how it is implemented, is not only dependent on the ssl-library, but also on the application built on top.
So my questions are:
Is CRL supported at all in Meteor?
-is it possible to give a CRL file to meteor in a similar way as ‘curl --crlfile …’ or through environment variable?
- any pointers to documentation on how to use CRLs with Meteor?
I’m testing with Meteor 1.8 on Ubuntu 18.04 (nodejs v8.10.0).
Hans Ole Rafaelsen