Unable to set CA or other XHR options on initial handshake

[mattydoincode]

Hello!

I have the unfortunate challenge of trying to get an application working in a corporate/government type environment where all traffic is behind a firewall that decrypts/encrypts traffic to the outside world. The general way we get around that is that in the browser, the browser itself handles the SSL proxy problem, but when running node (in electron, for example) we need to manually say "hey node, use this certificate authority". Example:

https.globalAgent.options.ca = myListOfCerts;

This sets it so that all normal XHR calls to the outside world running in nodejs use this trusted list of certs.

Sockjs, however, is ignoring the global agent (i'm sure for good reason) when making the initial XHR request to the outside world before upgrading to the wss connection. This ignores the global ca option, and sockjs does not currently provide a way to pass through "xhrOptions" or whatever we would like to call them so that we can manually set them.

I'd like to propose allowing xhrOptions to be passed in. I have forked the project for my own purposes, but think it would be a great feature and would be happy to set that PR up if this idea is well received.

Thanks!

[brycekahle]

@mattydoincode I don't see any code that is intentionally ignoring the globalAgent. Can you link me to your changes?

[mcw8d]

@brycekahle I also just ran into a similar problem. I think the issue is that SockJS sets agent: false here. The Node documentation says that agent: false will create a one-time use Agent with default options. From what I can tell that one time use agent seems to ignore environment variables and command line options. The only way I could get my code to connect was to delete that line. Is there a particular reason for using agent: false?

[brycekahle]

@mcw8d Which environment variable are you trying to set that is being ignored?

[mcw8d]

@brycekahle for some context, the server I'm trying to connect to has a cert signed by a CA that I'm pretty sure is loaded into my machine (Chrome, Firefox, curl are all fine with it). I am on a CentOS box using Node 8.11.4 and sockjs-client 1.3.0.
I'm definitely not an expert on the TLS stuff and using certs, but I was trying the following:

• --use-openssl-ca - Since curl doesn't have a problem I thought this might work, but it didn't regardless of the agent: false line
• Setting NODE_TLS_REJECT_UNAUTHORIZED=0 - Worked, but only if the agent: false line was removed.

[brycekahle]

@mcw8d Ok, that makes sense. I don't remember why the agent: false line was added, but I'm sure there was a good reason. Let me see if I can figure that out, and that will inform whether it can be removed or not.

[lucasvwamp]

Any update on this? Not being able to provide a CA or rejectUnauthorized is a pretty big hangup

[brycekahle]

1.6.0 was just published with this fix