Start tunnel using HTTPS authentication request

[wildabeast]

Thanks for the awesome lib!

In my use case, I'd like to remove the use of certificate verification, and add some simple HTTP authentication to initiate the tunnel. I see that you have something similar in your roadmap:

Client should make a simple HTTPS request to the control port to start a new tunnel and not hold a TLS connection open

I'd be happy to work on this and contribute back, but am looking for some help with a starting point, where this would happen, etc.

[pghalliday]

Phew, it's been over 18 months since I actually did any real coding on this - i'll have to give it a once over to see what changes would be needed.

Just to clarify you want your private client to be able to establish a connection to the public server without having to authenticate? It seems a little insecure but might be quite simple to do :)

I'm not sure this relates to the HTTPS thing in the roadmap which is more about just streamlining the process of establishing a connection and would still have involved authentication

[pghalliday]

It may be as simple as making the following requestCert and rejectUnauthorized settings optional in src/Server/Server.js

    var secureServer = tls.createServer({
        key: options.key,
        cert: options.cert,
        requestCert: true,
        rejectUnauthorized: true,
        ca: options.ca
    });

Similarly in src/Client/Client.js there is a check to authenticate that the server is the real server which requires the clients to know the server's certs in advance. Look for the rejectUnauthorized settings in there.

[pghalliday]

Oh there's also the tunnel created in src/Server/Switchboard.js

        var server = new Server({
          key: options.key,
          cert: options.cert,
          ca: options.ca, 
          requireCert: true,
          rejectUnauthorized: true  
        });

[pghalliday]

Just so you know if this disappears down a rabbit hole into single-tls-tunnel then I also maintain that library

[pghalliday]

Just rereading - i missed the bit about simple HTTP authentication - now I see why you want to switch to the HTTPS method. That will be more work indeed but the bit you're wanting to replace is that secureServer instance from src/Server/Server.js

[wildabeast]

@pghalliday thanks! sorry for not responding sooner, I posted this right before disconnecting for a couple of weeks. i'm hopin to start playing with this over the next few weeks -- so thanks for the starting points!