From 6f382affdef258b2f536861c47abdc3df76fa9b7 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Tue, 29 Oct 2019 11:10:57 -0700 Subject: [PATCH] Added correct hostname header when loading reverse proxy certificate. --- certoperations.js | 14 ++++++++------ meshcentral.js | 8 +++++--- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/certoperations.js b/certoperations.js index 3cccfd53..6cbcbbc5 100644 --- a/certoperations.js +++ b/certoperations.js @@ -195,25 +195,27 @@ module.exports.CertificateOperations = function (parent) { } // Return the certificate of the remote HTTPS server - obj.loadCertificate = function (url, tag, func) { + obj.loadCertificate = function (url, hostname, tag, func) { + console.log('loadCertificate', url, hostname); const u = require('url').parse(url); if (u.protocol == 'https:') { // Read the certificate from HTTPS - const tlssocket = obj.tls.connect((u.port ? u.port : 443), u.hostname, { servername: u.hostname, rejectUnauthorized: false }, function () { this.xxcert = this.getPeerCertificate(); this.end(); }); + if (hostname == null) { hostname = u.hostname; } + const tlssocket = obj.tls.connect((u.port ? u.port : 443), u.hostname, { servername: hostname, rejectUnauthorized: false }, function () { this.xxcert = this.getPeerCertificate(); this.end(); }); tlssocket.xxurl = url; tlssocket.xxfunc = func; tlssocket.xxtag = tag; - tlssocket.on('end', function () { this.xxfunc(this.xxurl, this.xxcert.raw.toString('binary'), this.xxtag); }); - tlssocket.on('error', function () { this.xxfunc(this.xxurl, null, this.xxtag); }); + tlssocket.on('end', function () { this.xxfunc(this.xxurl, this.xxcert.raw.toString('binary'), hostname, this.xxtag); }); + tlssocket.on('error', function () { this.xxfunc(this.xxurl, null, hostname, this.xxtag); }); } else if (u.protocol == 'file:') { // Read the certificate from a file obj.fs.readFile(url.substring(7), 'utf8', function (err, data) { if (err) { func(url, null, tag); return; } var x1 = data.indexOf('-----BEGIN CERTIFICATE-----'), x2 = data.indexOf('-----END CERTIFICATE-----'); if ((x1 >= 0) && (x2 > x1)) { - func(url, Buffer.from(data.substring(x1 + 27, x2), 'base64').toString('binary'), tag); + func(url, Buffer.from(data.substring(x1 + 27, x2), 'base64').toString('binary'), hostname, tag); } else { - func(url, data, tag); + func(url, data, hostname, tag); } }); } else { func(url, null, tag); } diff --git a/meshcentral.js b/meshcentral.js index f47b9d92..07252a3b 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -862,7 +862,9 @@ function CreateMeshCentralServer(config, args) { // Load web certs webCertLoadCount++; - obj.certificateOperations.loadCertificate(obj.config.domains[i].certurl, obj.config.domains[i], function (url, cert, xdomain) { + var dnsname = obj.config.domains[i].dns; + if ((dnsname == null) && (i == '') && (obj.config.settings.cert != null)) { dnsname = obj.config.settings.cert; } + obj.certificateOperations.loadCertificate(obj.config.domains[i].certurl, dnsname, obj.config.domains[i], function (url, cert, xhostname, xdomain) { if (cert != null) { // Hash the entire cert var hash = obj.crypto.createHash('sha384').update(Buffer.from(cert, 'binary')).digest('hex'); @@ -875,11 +877,11 @@ function CreateMeshCentralServer(config, args) { //console.log('V1: ' + xdomain.certkeyhash); } catch (ex) { } - console.log('Loaded web certificate from ' + url); + console.log('Loaded web certificate from \"' + url + '\", host: \"' + xhostname + '\"'); console.log(' SHA384 cert hash: ' + xdomain.certhash); if (xdomain.certhash != xdomain.certkeyhash) { console.log(' SHA384 key hash: ' + xdomain.certkeyhash); } } else { - console.log('Failed to load web certificate at: ' + url); + console.log('Failed to load web certificate at: \"' + url + '\", host: \"' + xhostname + '\"'); } webCertLoadCount--; if (webCertLoadCount == 0) { obj.StartEx4(); } // Done loading all certificates