Allow changing TLS connection options in client

[tmuellerleile]

node v0.10 TLS validates server certificates by default, so allow for setting custom connection options (e. g. ca or rejectUnauthorized).

Quoting node's changelog:

2012.09.17, Version 0.9.2 (Unstable)
...

• tls, https: validate server certificate by default (Ben Noordhuis)

[abdielou]

This would be very usefull for me.

[DominicBoettger]

Works with rejectUnauthorized for my server, but ca-files did not work for me.

Tried to create a bundle file with root, sub and server certificate. Tried server certificate which i downloaded via openssl s_client -host myhost -port 636 -CAfile /etc/ssl/certs/ca-certificates.crt.

Tried with my systems Cabundle /etc/ssl/certs/ca-certificates.crt

Nothing worked for me. Any ideas?

[tmuellerleile]

Well, this certainly sounds like a cert (chain) validation issue. Did you try to attach a bunyan logger instance to the client like this(?):

var client = ldap.createClient({
  ...
  log: bunyan.createLogger({
    name: 'myapp',
    level: 'trace',  // this is important!
    serializers: {
      err: bunyan.stdSerializers.err,   // this is important, too!
    }
  }),
  ...
});

This should print a (nice-looking when going through | bunyan) stack trace of the underlying connection layer errors which might give more hints regarding the potential issues with your certs.

[tmuellerleile]

@DominicBoettger FYI: Your issue might have been related to a change in the cert validation procedure of node itself. I learned about this only last week in a somewhat related context and submitted a pull request which fixes an edge case in validation.
The PR has been accepted and published in current stable node (0.10.4) and even backported to legacy 0.8.

HTH