Jump to content

Proper Solution of fixing problem with invalid certificate chain for NodeJS apps.


Recommended Posts

Posted

At end of last week ESET released Internet Protect module V1475 (also may be 1475.1 have same problem ?) which caused big mass problems to NodeJS based applications including Github Testing tools etc. Topic is discused In this forum thread https://forum.eset.com/topic/40702-eset-ssl-protection-produces-an-invalid-certificate-chain-for-nodejs-apps which is accessible without registration but with broken Captcha so it is almost impossible to write to the thread. Reason of breaking of NODEJS is moving Node.exe based application to area of implicit TLS inspection. To be able to do it Eset must inject local special certificate CA to list of trusted CA certificates. Usually it is handled by Windows Certificate storage or by explicit handle of well known browsers or other handled apps. But NodeJS uses hard-coded CA list (?) and ESET overlooked this problem. Fix in V1476 of module probably simply removes nodejs from filtered TLS. But it is NOT SECURE SOLUTION. I suppose ESET tried to add  filtering because malware uses javascript very often. So there is very usable to inspect TLS communication from secured computer. So as there is cookbook about manual adding of "ESET Filter CA" to list of trusted CA's let's switch TLS checking on even after fixed version revert implicit exclusion of nodejs TLS check. There is possible to use automatic script for export and add CA, I will send script to github repo https://github.com/the-last-byte/ESET-NPM-Breakage-Fix . So use it is good step to improve nodejs security. After this you can switch ESET Explicitly on check of node.exe.

 

  • Administrators
Posted

Internet protection 1475.1 fixes the issue with NodeJS. It's currently available on the pre-release update channel and for consumer products, with Endpoint to follow soon.

Posted

Thanks for info, I got little messy feedback from customers about problematic versions. But if I understand, fix simply reverts NODEJS to exclusion of TLS check? So state will be  not optimal for javascript security, So some help for manual config  accommodation will help I hope. I recommended switching on explicit check of node.exe, but we not yet tested slowdown penalty for data heavy applications...

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...