0

I have a nodejs https server running on my Raspberry Pi. It responses to ajax requests. When open the webpage with a desktop/laptop or an iPhone (Safari), the ajax call returns the proper result with a http 200 return code. However, when I do the same from a Firefox browser on an Android mobile phone, I get an empty result with 0 as http return code. The server side logs indicate that there is a problem with the certificate.

(I always confirm that I take the risk for the self-signed certificate before I open the webpage.)

When I open the nodejs resource directly (instead of opening the webpage) on Firefox/Android, the error doesn't occur.

Update: The event 'clientError' of the nodeJS server fires and shows the following error message in the server logs:

node[30508]: [Error: 1995487744:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 42
node[30508]: ] {
node[30508]:   library: 'SSL routines',
node[30508]:   function: 'ssl3_read_bytes',
node[30508]:   reason: 'sslv3 alert bad certificate',
node[30508]:   code: 'ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE'
node[30508]: }

However, this error does not occour (and this not show up in the log files), when I call the webpage/resource from any other client.

OpenSSL shows this diagnosis:

$ openssl s_client -host 192.168.1.19 -port 443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
verify return:1
---
Certificate chain
 0 s:C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
   i:C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local

issuer=C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1491 bytes and written 363 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B24098C068F9ECD0BFC30EDF927E89612B44DEF4B3116A71FC91C4E864B3FB2D
    Session-ID-ctx: 
    Resumption PSK: C48161A2239187636E97AFC01B3E4BD55147F6DFFB0F030BEF4D0FD6CE1377D6F47EE18A642E9AA53D0433F468CC1F62
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
...
    Start Time: 1687557206
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 83F99A48AD8D62C89D166ABC8CC5D268B768AA4D7951FCC3AF3AA06B5BFC9239
    Session-ID-ctx: 
    Resumption PSK: EF1B6282D0AC4F1A99275B3559ABB75E28A6D71A937FA18E2B36B09DFC90189787CB7C3B08084778191A8D719BDCC105
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
...
    Start Time: 1687557206
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

The server side certificate also seems OK:

$ sudo openssl x509 -in /etc/path/certificate.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            63:48:70:19:2f:86:fa:04:34:9f:1c:af:d5:d4:60:60:12:c0:21:db
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
        Validity
            Not Before: Jul 29 18:42:15 2022 GMT
            Not After : Aug  1 18:42:15 2032 GMT
        Subject: C = AT, ST = MyCity, L = MyCity, O = MyOrg, CN = rp.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                83:35:90:AB:2E:A0:CA:8B:FA:3B:A6:CD:63:FA:9B:59:22:6E:40:CC
            X509v3 Authority Key Identifier: 
                keyid:83:35:90:AB:2E:A0:CA:8B:FA:3B:A6:CD:63:FA:9B:59:22:6E:40:CC

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

I have no idea what's wrong with that. Any help what might trigger that error is highly appreciated.

Improve this question

0

Reset to default

You must log in to answer this question.