3

I recently purchased a personal ssl certificate from Positive ssl. After i got everything sorted out with activating it and the validation, I was finally able to download the certificate files.

The files i got were:

www.niknet.ddns.net.ca-bundle
www.niknet.ddns.net.crt
www.niknet.ddns.net.p7b

Before I only used .key and .crt and it worked great but now i am using the .ca-bundle and the .crt file this is the code i use to include those files into the ssl library in node js

var httpPort = process.env.PORT || 80;
var httpsPort = process.env.PORT || 443;
var server = http.createServer(app).listen(httpPort);
var server = https.createServer({
    secureProtocol : 'TLSv1_2_server_method',
    ciphers : "AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH",
    honorCipherOrder : true,
    ca: fs.readFileSync(__dirname + '/niknet_ddns_net.ca-bundle'),
    cert: fs.readFileSync(__dirname + '/niknet_ddns_net.crt')

    },app).listen(httpsPort);
var io = require('socket.io').listen(server);

but I can't for the life of me get the certificate to work properly. I just get this error

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I've been reading other posts and have tried adding their code but nothing works. I also read somewhere that the ssl or tls library for node.js is outdated and that my certificate could be too new. If that's true, are there any other third-party ssl libraries I could use?

pythonNovice
  • 1,130
  • 1
  • 14
  • 36
Nik Hendricks
  • 244
  • 2
  • 6
  • 29
  • Possible duplicate of [How to create an HTTPS server in Node.js?](https://stackoverflow.com/questions/5998694/how-to-create-an-https-server-in-node-js) – user2226755 May 13 '19 at 09:17

3 Answers3

5

run this command:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Just remember to set this to localhost:

Common Name (e.g. server FQDN or YOUR name) []: localhost

then

 https.createServer({
    key: fs.readFileSync('./ssl/server.key'),
    cert: fs.readFileSync('./ssl/server.cert')
  },app)

ERR_SSL_VERSION_OR_CIPHER_MISMATCH will appear if the added certificate are not indicated properly in the first argument of createServer().

Badr Bellaj
  • 11,560
  • 2
  • 43
  • 44
  • Thank you, worked for me. Had to add also a "const fs = require('fs');" line over the "https.createServer..." to declare the fs const... Hope It helps someone :) – hfunes.com Aug 26 '23 at 02:53
2

tested key and crt with openssl using bellow command (try in browser https://hostname:8888).. and found the exact cipher missing.

openssl s_server -cert server.crt -key server.key -CAfile octopz.zende.sk.ca-bundle -accept 8888 -www

Then added to the nodejs code.

var server = https.createServer({
    key: privateKey,
    cert: certificate,
    ca: certificateAuthority,
    ciphers: [
        "ECDHE-RSA-AES128-SHA256",
        "DHE-RSA-AES128-SHA256",
        "AES128-GCM-SHA256",
        "RC4",
        "HIGH",
        "!MD5",
        "!aNULL"
    ].join(':'),
}, app);

it worked!!

nipuna
  • 99
  • 1
  • 2
  • 7
1

We have lots of dupes of this for other languages, but the closest I can find for nodejs is How to create an HTTPS server in Node.js? which is not specific or ERR_SSL_VERSION_OR_CIPHER_MISMATCH with node v7.9.0 https which is not answered. So:

SSL/TLS server including an HTTPS server needs a privatekey AND certificate/chain (with rare exceptions not applicable here). You can use a CA-issued cert (and chain) instead of a self-created (and usually self-signed) cert, as long as the CA-issued cert is for the same privatekey, but you must still provide the privatekey. You can use cert and key together, or you can combine the cert (and optionally chain) and key into a PKCS12-also-called-PFX file, and use pfx.

In addition to the Q you asked, and arguably offtopic for SO, don't use RC4. It's considered broken cryptographically, though still on average moderately difficult/costly in practice, and most standards for using SSL/TLS/HTTPS prohibit it for several years now, particularly rfc7465.

Community
  • 1
  • 1
dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70