Enable TLS/SSL session resumption in https node

kiran007 · 12 July 2019 05:27

Hi want to enable TLS/ssl session resumption in https node . i am using https node

https://flows.nodered.org/node/node-red-contrib-https

how to do that ?

TotallyInformation · 12 July 2019 09:27

This is not all easy to implement and requires very careful handling. You have to implement a robust and secure session management capability that keeps track of all sessions and ensures that the sessions cannot be hijacked. So realistically, it requires a database, encryption and a robust way to ensure that the client making a reconnect request is actually the client that had the session originally.

Hopefully you can see that this is likely to be beyond the scope of a simple node that hasn't been updated in over two years.

However, in essence, you should raise an issue in GitHub against that node so that the author can consider it.

kiran007 · 12 July 2019 12:12

We do not need a management of different sessions.Session management is done by the TLS/SSL stack in our deivce.

we are using python and javascript to request to device but in that case src port number is not changing and also all request is going through the one session as only one script fire multiple request.in python we use HttpRequest function to to request to device and ones script run it fire 100 request for that it using same source port number and same session it taken care by internally by python.

in case of node red i think for every request https.js is executing that why i think it opening new socket and session (As i request to to device after each 1sec using inject node)

can u suggest any change in https.js so that session is keep for next request
i tried this option in https.js file
https.request.jar=true
res.socket.setKeepAlive(true,60000);
Node red https node used http.request function internally to request to device.
but it keep that session alive but open new one so can please suggest what can i do in this case

TotallyInformation · 12 July 2019 17:13

Sorry, not sure you understood the thrust of my answer.

Session resumption without strong, secure session management is VERY dangerous. Just because you are already doing session management doesn't necessarily make it a good idea to build into an https node where others with less knowledge may use it without the correct configuration. Node-RED is used by many people - often with limited knowledge, that is one of its strengths.

Also, having read your response, my gut feeling (obviously I can't know exactly what you've done) is that your session management seems suspect as you seem to be saying that you have a single, common session for many devices? If so, I hope that your network and all of the devices are well secured. Hopefully though, I've misunderstood.

Regardless, as I also mentioned previously, you are in the wrong forum to ask for changes to that node. You need to contact the author via the GitHub repo.

kiran007 · 15 July 2019 10:33

There is no single common session for many devices.Rather single common session for one device if I start running script and request to device rapidly.
i just want to node red to keep one session active if i fire 10 request with same ip to device in one mints.

Thanks for your suggestion i will ask for changes in https node in GitHub

knolleary · 15 July 2019 11:21

Please don't. The Node-RED issue list is not for feature requests.

If you wanted to do some research into how this option can be enabled in an express.js server then that would help.

kiran007 · 15 July 2019 11:36

Yes some how i want to enable session resumption so that node red create one session for many request

can i you suggest any changes?

knolleary · 15 July 2019 11:39

No, I don't know how to do this. I am suggesting you could do some research for how to enable this option for an express.js server. That would help make something happen, unless anyone else has the time to spend trying to figure this out.

TotallyInformation · 15 July 2019 11:54

He is asking about a contrib node not a core node.

knolleary · 15 July 2019 11:55

Good point - I assumed this was the core HTTP In node as he raised an issue against the core node-red project.

@kiran007 if you want to see a change in the node-red-contrib-https node, you'll have to contact its author.

kiran007 · 15 July 2019 12:06

Can I do some changes in contrib https.js locally?

@knolleary : I will definitely do some research on how to enable session resumption or how to keep session alive for next request in express.js.

Thanks

TotallyInformation · 15 July 2019 12:44

You can but it would be better to clone the repo, change it properly. Then, once tested, you can submit a pull request. If the author doesn't then respond, create a new version and publish.

You can install your clone from your filing system using the command line - starting in the userDir folder:

cd ~/.node-red
npm install /path/to/your/cloned/repo/

kiran007 · 15 July 2019 13:32

Ok Thanks a lot for great supports

Topic		Replies	Views
Getting session of TCP Connection without direct connection to the node General	5	623	31 January 2022
Do Node red http requests open new socket for each request to same ip and port Core Development	5	775	11 July 2019
Pull request proposal: automatic certificate renewal Feature Requests	24	2988	4 June 2020
Running into SSL/TLS problems with "http request" upgrading from 2.2.2 to 3.1.3 General security	4	130	5 March 2024
Is it possible to use NodeRED as functioning LAN https server? General	9	1438	2 March 2019

Enable TLS/SSL session resumption in https node

Related Topics