Jump to content

Proper Solution of fixing problem with invalid certificate chain for NodeJS apps.

Recommended Posts

At end of last week ESET released Internet Protect module V1475 (also may be 1475.1 have same problem ?) which caused big mass problems to NodeJS based applications including Github Testing tools etc. Topic is discused In this forum thread https://forum.eset.com/topic/40702-eset-ssl-protection-produces-an-invalid-certificate-chain-for-nodejs-apps which is accessible without registration but with broken Captcha so it is almost impossible to write to the thread. Reason of breaking of NODEJS is moving Node.exe based application to area of implicit TLS inspection. To be able to do it Eset must inject local special certificate CA to list of trusted CA certificates. Usually it is handled by Windows Certificate storage or by explicit handle of well known browsers or other handled apps. But NodeJS uses hard-coded CA list (?) and ESET overlooked this problem. Fix in V1476 of module probably simply removes nodejs from filtered TLS. But it is NOT SECURE SOLUTION. I suppose ESET tried to add  filtering because malware uses javascript very often. So there is very usable to inspect TLS communication from secured computer. So as there is cookbook about manual adding of "ESET Filter CA" to list of trusted CA's let's switch TLS checking on even after fixed version revert implicit exclusion of nodejs TLS check. There is possible to use automatic script for export and add CA, I will send script to github repo https://github.com/the-last-byte/ESET-NPM-Breakage-Fix . So use it is good step to improve nodejs security. After this you can switch ESET Explicitly on check of node.exe.


Link to comment
Share on other sites

  • Administrators

Internet protection 1475.1 fixes the issue with NodeJS. It's currently available on the pre-release update channel and for consumer products, with Endpoint to follow soon.

Link to comment
Share on other sites

Thanks for info, I got little messy feedback from customers about problematic versions. But if I understand, fix simply reverts NODEJS to exclusion of TLS check? So state will be  not optimal for javascript security, So some help for manual config  accommodation will help I hope. I recommended switching on explicit check of node.exe, but we not yet tested slowdown penalty for data heavy applications...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...