Enable TLS/SSL session resumption in https node

Hi want to enable TLS/ssl session resumption in https node . i am using https node

https://flows.nodered.org/node/node-red-contrib-https

how to do that ?

This is not all easy to implement and requires very careful handling. You have to implement a robust and secure session management capability that keeps track of all sessions and ensures that the sessions cannot be hijacked. So realistically, it requires a database, encryption and a robust way to ensure that the client making a reconnect request is actually the client that had the session originally.

Hopefully you can see that this is likely to be beyond the scope of a simple node that hasn't been updated in over two years.

However, in essence, you should raise an issue in GitHub against that node so that the author can consider it.

We do not need a management of different sessions.Session management is done by the TLS/SSL stack in our deivce.

we are using python and javascript to request to device but in that case src port number is not changing and also all request is going through the one session as only one script fire multiple request.in python we use HttpRequest function to to request to device and ones script run it fire 100 request for that it using same source port number and same session it taken care by internally by python.

in case of node red i think for every request https.js is executing that why i think it opening new socket and session (As i request to to device after each 1sec using inject node)

can u suggest any change in https.js so that session is keep for next request
i tried this option in https.js file
https.request.jar=true
res.socket.setKeepAlive(true,60000);
Node red https node used http.request function internally to request to device.
but it keep that session alive but open new one so can please suggest what can i do in this case

Sorry, not sure you understood the thrust of my answer.

Session resumption without strong, secure session management is VERY dangerous. Just because you are already doing session management doesn't necessarily make it a good idea to build into an https node where others with less knowledge may use it without the correct configuration. Node-RED is used by many people - often with limited knowledge, that is one of its strengths.

Also, having read your response, my gut feeling (obviously I can't know exactly what you've done) is that your session management seems suspect as you seem to be saying that you have a single, common session for many devices? If so, I hope that your network and all of the devices are well secured. Hopefully though, I've misunderstood.

Regardless, as I also mentioned previously, you are in the wrong forum to ask for changes to that node. You need to contact the author via the GitHub repo.

1 Like

There is no single common session for many devices.Rather single common session for one device if I start running script and request to device rapidly.
i just want to node red to keep one session active if i fire 10 request with same ip to device in one mints.

Thanks for your suggestion i will ask for changes in https node in GitHub

Please don't. The Node-RED issue list is not for feature requests.

If you wanted to do some research into how this option can be enabled in an express.js server then that would help.

Yes some how i want to enable session resumption so that node red create one session for many request

can i you suggest any changes?

No, I don't know how to do this. I am suggesting you could do some research for how to enable this option for an express.js server. That would help make something happen, unless anyone else has the time to spend trying to figure this out.

He is asking about a contrib node not a core node.

Good point - I assumed this was the core HTTP In node as he raised an issue against the core node-red project.

@kiran007 if you want to see a change in the node-red-contrib-https node, you'll have to contact its author.

Can I do some changes in contrib https.js locally?

@knolleary : I will definitely do some research on how to enable session resumption or how to keep session alive for next request in express.js.

Thanks

You can but it would be better to clone the repo, change it properly. Then, once tested, you can submit a pull request. If the author doesn't then respond, create a new version and publish.

You can install your clone from your filing system using the command line - starting in the userDir folder:

cd ~/.node-red
npm install /path/to/your/cloned/repo/

Ok Thanks a lot for great supports