0

I'm trying to check the SSL status of an external domain with node. It works fine with a test using google.com. However, when I try a url which I know has an invalid SSL certificate (revoked in this case) the value for res.socket.authorized is still true

Am I using this wrong or is there a better way to validate the status of a domain's SSL certificate?

const https = require('https');

const options = {
  host: 'revoked.badssl.com',
  method: 'get',
  path: '/'
};

const req = https.request(options, res => {
  console.log('Certificate Status: ', res.socket.authorized);
});

req.on('error', error => {
  console.error('Error: ', error);
});

req.end();
D-Money
  • 2,375
  • 13
  • 27
  • 1
    I don't think node does active CRL checks, if your SSL host is otherwise valid but revoked? Pretty sure you need to provide a CRL to the client via the `crl` option https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options – Matt Oct 09 '17 at 02:52
  • Refer this link https://stackoverflow.com/a/34354118/7635845 – Syed Ayesha Bebe Oct 09 '17 at 05:11

1 Answers1

0

So this turned out to be an issue specifically with revoked SSL certificates.

Revocation of a certificate is not propagated across all certificate authorities. Each CA publishes a certificate revocation list (CRL) containing the list of only the revoked certificates that were issued by this specific CA.

More detail on working around this here: How does certificate revocation work with intermediate CA's?

D-Money
  • 2,375
  • 13
  • 27