1

i recently purchased a personal ssl certificate from Positive ssl for about 5 dollars and after i got everything sorted out with activating it and the validation i was finally able to download the certificate files the files i got were

www.niknet.ddns.net.ca-bundle www.niknet.ddns.net.crt www.niknet.ddns.net.p7b

now before i only used .key and .crt and it worked great but now i am using the .ca-bundle and the .crt file this is the code i use to include those files into the ssl library in node js

var forceSsl = require('express-force-ssl');
var httpPort = process.env.PORT || 80;
var httpsPort = process.env.PORT || 443;
var server = http.createServer(app).listen(httpPort);
var server = https.createServer({
    secureProtocol : 'TLSv1_2_server_method',
    ciphers : "AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH",
    honorCipherOrder : true,
    ca: fs.readFileSync(__dirname + '/niknet_ddns_net.ca-bundle'),
    cert: fs.readFileSync(__dirname + '/niknet_ddns_net.crt')

    },app).listen(httpsPort);
var io = require('socket.io').listen(server);

but i cant for the life of me get the certificate to work properly i just get this error

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

i have been reading other post and have tried adding there code but noting works i also read somewhere that the ssl or tls library for node js is kind of outdated and that my certificate could be to new if that is true is there any other thirdparty ish ssl library that i could use i am all out of options right now

Nik Hendricks
  • 260
  • 1
  • 4
  • 28
  • Possible duplicate of [How to create an HTTPS server in Node.js?](https://stackoverflow.com/questions/5998694/how-to-create-an-https-server-in-node-js) – Sky Voyager May 13 '19 at 09:17

3 Answers3

1

We have lots of dupes of this for other languages, but the closest I can find for nodejs is How to create an HTTPS server in Node.js? which is not specific or ERR_SSL_VERSION_OR_CIPHER_MISMATCH with node v7.9.0 https which is not answered. So:

SSL/TLS server including an HTTPS server needs a privatekey AND certificate/chain (with rare exceptions not applicable here). You can use a CA-issued cert (and chain) instead of a self-created (and usually self-signed) cert, as long as the CA-issued cert is for the same privatekey, but you must still provide the privatekey. You can use cert and key together, or you can combine the cert (and optionally chain) and key into a PKCS12-also-called-PFX file, and use pfx.

In addition to the Q you asked, and arguably offtopic for SO, don't use RC4. It's considered broken cryptographically, though still on average moderately difficult/costly in practice, and most standards for using SSL/TLS/HTTPS prohibit it for several years now, particularly rfc7465.

Community
  • 1
  • 1
dave_thompson_085
  • 29,499
  • 6
  • 42
  • 62
1

tested key and crt with openssl using bellow command (try in browser https://hostname:8888).. and found the exact cipher missing.

openssl s_server -cert server.crt -key server.key -CAfile octopz.zende.sk.ca-bundle -accept 8888 -www

Then added to the nodejs code.

var server = https.createServer({
    key: privateKey,
    cert: certificate,
    ca: certificateAuthority,
    ciphers: [
        "ECDHE-RSA-AES128-SHA256",
        "DHE-RSA-AES128-SHA256",
        "AES128-GCM-SHA256",
        "RC4",
        "HIGH",
        "!MD5",
        "!aNULL"
    ].join(':'),
}, app);

it worked!!

nipuna
  • 89
  • 1
  • 2
  • 6
1

run this command:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Just remember to set this to localhost:

Common Name (e.g. server FQDN or YOUR name) []: localhost

then

 https.createServer({
    key: fs.readFileSync('./ssl/server.key'),
    cert: fs.readFileSync('./ssl/server.cert')
  },app)

ERR_SSL_VERSION_OR_CIPHER_MISMATCH will appear if the added certificate are not indicated properly in the first argument of createServer().

Badr Bellaj
  • 9,167
  • 1
  • 36
  • 34