get ceryficate some info like hash or name

uNetworking / uWebSockets

Simple, secure & standards compliant web server for the most demanding of applications

Apache License 2.0

17.41k stars 1.77k forks source link

get ceryficate some info like hash or name #1548

Open gotshadowbantempaccount opened 1 year ago

gotshadowbantempaccount commented 1 year ago

can't find the way to use "Cloudflare Origin Certificate"
use then blocking IP list provided by Cloudflare that ignore many Asian exit countrys Siggapur,Thailand,Laos,Vietnam i.e missing 172.68.6.144 from cloudflare.com/ips/
try to contact this m-o-r-o-n-s from Cloudflare like year ago but they don't provide basic support as is too expensive

What is my problem:

need somehow hide my server identify by verify hash of cloudflare certyficate or some basic details about cert

// example nanoexpress use: uWebSockets.js
app.get('/24325325141', async (req, res) => {
       // this is a dummy - users from google please ignore
    res.end( req.cert.CommonName == 'sni.cloudflaressl.com' );

})

uNetworkingAB commented 1 year ago

You want SNI?

gotshadowbantempaccount commented 1 year ago

right now just checking if 'cf-connecting-ip' header exist but need something "real" that can't be spoofed

cloudflare issue a Edge Certificates and in my opinion best way to (without bottleneck) "verify" certificate is to compare "thumbprint" or "SerialNumber"

uNetworkingAB commented 1 year ago

Can you author a coherent message with a clear description of what why how you want here? Are you reporting a bug?

gotshadowbantempaccount commented 1 year ago

Need verify "client certificate" ( Cloudflare Origin Certificate, edge certyficate ) when its connecting to my nanoexpress that use uWebSockets.js

example varible like: req.clientcert.thumbprint or req.clientcert.SerialNumber

if ( req.clientcert.SerialNumber != 3938729374e719838' ) { res.end( 'not a Cloudflare user' ); }

somthing like in nginx ssl_client_certificate /etc/nginx/cloudflare.crt;

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate

gotshadowbantempaccount commented 1 year ago

whatever just add in cludflare header to verify in: "HTTP Request Header Modification" and checking value if exist by my secret key

gillsoftab commented 1 year ago

If you use node 15.6.0 or later with uWebSockets.js you could get the identifier of a certificate using this code.

const crypto = require('crypto');

const getCertIdentifier = (cert, unique = true) => {
  try {
    const x509 = new crypto.X509Certificate(Buffer.from(cert));
    return unique ? x509.fingerprint256 : x509.serialNumber;
  } catch {
    return null;
  }
};

const identifier = getCertIdentifier('<cert in pem format>');