1. 使用openssl生成服務器和客戶端證書node
生成服務器證書,服務器使用自簽名證書(也就是本身扮演CA)服務器
openssl genrsa -out server-key.pem 2048 openssl req -new -sha256 -key server-key.pem -out server-csr.pem //在CN處填寫服務器主機名www.qikangwei.com openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem
將服務器私鑰server-key.pem和CA根證書server-cert.pem複製到客戶端,而後生成客戶端證書app
openssl genrsa -out client-key.pem 2048 openssl req -new -sha256 -key client-key.pem -out client-csr.pem //在CN出填寫客戶端主機名 openssl x509 -req -CA server-cert.pem -CAkey server-key.pem -CAcreateserial -in client-csr.pem -out client-cert.pem
2. 建立服務器和客戶端腳本測試
服務器:ui
var tls = require('tls'); var fs = require('fs'); var options = { key: fs.readFileSync('server-key.pem'), cert: fs.readFileSync('server-cert.pem'), ca: [ fs.readFileSync('server-cert.pem') ], requestCert: true, rejectUnauthorized: true }; var server = tls.createServer(options, function(test) { console.log('server connected', test.authorized ? 'authorized' : 'unauthorized'); test.write("welcome!\n"); test.setEncoding('utf8'); test.on('data', function(data) { console.log(data); }); test.on('close', function() { console.log('client has closed'); server.close(); }); }); server.listen(2345, function() { console.log('server bound'); });
客戶端:server
var tls = require('tls'); var fs = require('fs'); var options = { host: 'www.qikangwei.com', port: 2345, key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), ca: [ fs.readFileSync('server-cert.pem') ], rejectUnauthorized: true }; var client = tls.connect(options, function() { console.log('client connected', client.authorized ? 'authorized' : 'unauthorized'); process.stdin.setEncoding('utf8'); process.stdin.on('readable', function() { var chunk = process.stdin.read(); if (chunk !== null) { client.write(chunk); } }); }); client.setEncoding('utf8'); client.on('data', function(data) { console.log(data); }); client.write("happy new year!");
3. 測試blog
服務器:ssl
node tls-server.jsopenssl
客戶端:it
node tls-client.js
腳本啓動後,在客戶端輸入內容,服務器端會顯示一樣的內容