tls: better error messages for certificate validation errors

[bnoordhuis]

Example:

var tls = require('tls');
var util = require('util');

var cacert =
  '-----BEGIN CERTIFICATE-----\n' +
  'MIIB5TCCAY8CAkFVMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD\n' +
  'VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEZMBcGA1UECgwQU3Ryb25n\n' +
  'TG9vcCwgSW5jLjESMBAGA1UECwwJU3Ryb25nT3BzMRowGAYDVQQDDBFjYS5zdHJv\n' +
  'bmdsb29wLmNvbTAeFw05OTAzMzEyMjAwMDBaFw0wMTEyMjQyMjAwMDBaMH0xCzAJ\n' +
  'BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEZ\n' +
  'MBcGA1UECgwQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECwwJU3Ryb25nT3BzMRow\n' +
  'GAYDVQQDDBFjYS5zdHJvbmdsb29wLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC\n' +
  'QQC7dz/dN2Qms8xBbNny5KTHoOtbl+y7vNAl2YxKpLKRFvHH95uk3jlxp0xjLypr\n' +
  'CD9Dqs95UW6fcuPXaIEuKgAvAgMBAAEwDQYJKoZIhvcNAQEFBQADQQASgzqiepEQ\n' +
  'h/TGAIDbps9iBwAZE9vuGQwbJLPt1eqgmwqpcF0m/vV4STDiBuMBMLXTV4J+zv3B\n' +
  'QEQrSwnx/Y9f\n' +
  '-----END CERTIFICATE-----\n';

var cert =
  '-----BEGIN CERTIFICATE-----\n' +
  'MIIBnDCCAUYCAmQTMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD\n' +
  'VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEZMBcGA1UECgwQU3Ryb25n\n' +
  'TG9vcCwgSW5jLjESMBAGA1UECwwJU3Ryb25nT3BzMRowGAYDVQQDDBFjYS5zdHJv\n' +
  'bmdsb29wLmNvbTAeFw05OTAzMzEyMjAwMDBaFw0yNjA4MTUyMjAwMDBaMBkxFzAV\n' +
  'BgNVBAMTDnN0cm9uZ2xvb3AuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALvQ\n' +
  'IER7cJBHRgM/cM4WxTCMJuvPmoN1qPt6g+d8a0oJdpw6PiSNV1RBcIymH+ssmooc\n' +
  'FGM7JZxXefPnIL1n0eMCAwEAAaMZMBcwFQYDVR0RBA4wDIcEAAAAAIcEfwAAATAN\n' +
  'BgkqhkiG9w0BAQUFAANBAIq58YOdKv2GUZQWUZgK8WdyPopCZrz7fRWYIU4aVxPP\n' +
  'y18RM/dhGo0IKMb+waEdpGZ9d4zRgqeWAA5hGdIoAsY=\n' +
  '-----END CERTIFICATE-----\n';

var key =
  '-----BEGIN PRIVATE KEY-----\n' +
  'MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAu9AgRHtwkEdGAz9w\n' +
  'zhbFMIwm68+ag3Wo+3qD53xrSgl2nDo+JI1XVEFwjKYf6yyaihwUYzslnFd58+cg\n' +
  'vWfR4wIDAQABAkAqqxD5nfWnwZmFWV9eYsvvyJd7EVIwNYXrhBz9dUXGrtV6/MMJ\n' +
  'ajnvJcJ3xmMqbVmfpcU+YTXiHDbNo/yoQnBpAiEA9IknvbGnj6IUGC6e0iusIhCE\n' +
  'A0FngBe2rp/SG8BaAK8CIQDEnjN/FmPOK/MZTt2yCxPN5PIqMsFDAjpWV/i2lH8H\n' +
  'DQIhAIOFAQrVcfmegpA/AsynEH2BxH67vp72IhrpemfSnJWhAiBypWSVqDKOF2Zq\n' +
  'zWfL11W26tah8HJsZjIqAqXNoIzpSQIgS35nfACVBZ5Infz98QKfjj2/ni2TW/jJ\n' +
  'kkmZ3rU5GKs=\n' +
  '-----END PRIVATE KEY-----\n';

var ca = [cert, cacert];
var ciphers = 'NULL-MD5';
var options = { ciphers: ciphers, ca: ca, cert: cert, key: key };

tls.createServer(options, function(conn) {
  conn.end('go away');
  this.close();
}).listen(function() {
  var conn = tls.connect({
    host: this.address().address,
    port: this.address().port,
    ciphers: ciphers,
  });
  conn.on('error', function(err) {
    console.error(util.inspect(err, true, 1));
  });
});

In this example, the server certificate is valid but the CA certificate has expired. When you run it, it prints:

{ [Error: CERT_HAS_EXPIRED]
  [stack]: [Getter/Setter],
  [arguments]: undefined,
  [type]: undefined,
  [message]: 'CERT_HAS_EXPIRED' }

That's not very helpful because when you inspect the return value of conn.getPeerCertificate(), the expiry date is August 15, 2026.

Suggestions for improvement:

• Add a property that tells what certificate has expired.
• Add the 'Not Before' and 'Not After' fields as properties (for this particular error.)

Apropos getPeerCertificate(), it's kind of odd that it calls the fields valid_from and valid_to instead of e.g. notBefore and notAfter.

[bnoordhuis]

For some reason, GH swallows half the error message...

[indutny]

I'm too lame to implement it, but I'll accept PR doing it.