Is certificate revocation lists (CRL) supported?

help
1

Hi!

I need to create a DDP connection between Meteor nodes. The nodes acting as ‘servers’ are behind Nginx proxies. I have a self-singed certificate chain. For each server I have created and installed a certificate chain. On the ‘client’ Meteor node I have installed the root certificate of this chain. This works fine, and the Meteor client accepts the certificate of the server when connecting like:
var cnx = DDP.connect(‘https://10.0.0.2/’);

For one of the servers, I have revoked the certificate. I have created a CRL-chain. When I run commands on the client node such as ‘wget’ or ‘curl’, I’m able to use this CRL-chain. I have to explicitly give the location of the CRL file in both cases. It states that the certificate has been revoked from one of the servers, while it still accepts the certificate from the other server. So the certificate and CRL-chain seems to work OK in this case. (I have tried to install the CRL-chain on the client node, but it seems like ‘wget’ and ‘curl’ are not able to pick it up.)

From what I have read about CRL support and using ‘strace’ when running ‘wget’, ‘curl’ and ‘meteor’, it seems CRL support varies from application to application. The level of CRL support and how it is implemented, is not only dependent on the ssl-library, but also on the application built on top.

So my questions are:

Is CRL supported at all in Meteor?

If so:

-is it possible to give a CRL file to meteor in a similar way as ‘curl --crlfile …’ or through environment variable?

  • any pointers to documentation on how to use CRLs with Meteor?

I’m testing with Meteor 1.8 on Ubuntu 18.04 (nodejs v8.10.0).

Thanks,

Hans Ole Rafaelsen

1 Like
2

It looks like the websocket implementation ends up using the core tls module in node. So if node supports it, Meteor inherits that support

If you have to give the location of the CRL file manually, then it sounds like your self signed CA doesn’t have a CRL distribution point in it’s root certificate (and/or the current CRL isn’t available there)

This question might be helpful in digging further into this

3

Thanks!

I have been digging a bit in the meteor code, and it seems like the DDP.connect call can pass options to faye and down to tls. I had to split the CRL chain into its separate parts, but then I get this working.

var cnx = DDP.connect('https://10.0.0.2/',
          {npmFayeOptions: {
              tls: {crl:
                [fs.readFileSync('/home/hans/root.crl.pem'),
                 fs.readFileSync('/home/hans/level1.crl.pem'),
                 fs.readFileSync('/home/hans/level2.crl.pem')]
                },
                  ca: fs.readFileSync('/home/hans/ca_root.crt')
          }
              });

Which gives this expected result:
“stream error Network error: wss://10.0.0.2/websocket: certificate revoked”


Hans Ole

2 Likes