How to honor CRL if session resumption (using Session identifiers) is implemented?

[kumarrishav]

In my current setup, i have implemented session resumption (using Session identifiers) to our mTLS service.

Now, i want to add CRL feature as well. I believe, if session resumption is happening , then certs/keys/CRL won't come into picture. right?

So, how can i implement this? any guidance will be helpful

[kumarrishav]

server side CRL check

const https = require('https');
const fs = require('fs');

// Load server's private key and certificate
const serverKey = fs.readFileSync('path/to/server-key.pem');
const serverCert = fs.readFileSync('path/to/server-cert.pem');

// Load CA certificate (trusted client certs) and CRL
const caCert = fs.readFileSync('path/to/ca-cert.pem');
const crl = fs.readFileSync('path/to/crl.pem');

// TLS options for mutual TLS (mTLS)
const tlsOptions = {
  key: serverKey,
  cert: serverCert,
  ca: caCert, // Trusted CA that issued client certificates
  crl: crl, // CRL file to check for revoked certificates
  requestCert: true, // Require client certificates (mTLS)
  rejectUnauthorized: true, // Reject clients with invalid certificates
  sessionTimeout: 300, // Session timeout for resumption (in seconds)
  sessionIdContext: 'my_tls_server', // Session ID context for session resumption
  honorCipherOrder: true, // Server's cipher order will be honored
};

// Create the HTTPS server
const server = https.createServer(tlsOptions, (req, res) => {
  res.writeHead(200);
  res.end('Hello, Secure mTLS world with CRL-based revocation checks!');
});

// Listen on a secure port (443 or other)
server.listen(443, () => {
  console.log('mTLS server running with session resumption and CRL-based revocation checks.');
});

// Handle session tickets for session resumption
server.on('newSession', (id, data, callback) => {
  console.log('New session established');
  callback(null, data); // Store the session data
});

server.on('resumeSession', (id, callback) => {
  console.log('Resuming session...');
  callback(null, null); // Resume session (no session data in this case)
});

// Log secure connections
server.on('secureConnection', (tlsSocket) => {
  const cert = tlsSocket.getPeerCertificate();

  if (cert && tlsSocket.authorized) {
    console.log('Client certificate authorized:', cert.subject);
  } else {
    console.log('TLS connection failed:', tlsSocket.authorizationError);
    tlsSocket.destroy(); // Terminate the connection if the client certificate is invalid
  }
});

client side CRL check

const https = require('https');
const fs = require('fs');
const crypto = require('crypto');

// Load client certificates and private key
const clientKey = fs.readFileSync('path/to/client-key.pem');
const clientCert = fs.readFileSync('path/to/client-cert.pem');

// Load CA certificate and CRL to verify the server's certificate
const caCert = fs.readFileSync('path/to/ca-cert.pem');
const crl = fs.readFileSync('path/to/crl.pem');

// TLS options for the client with session resumption disabled
const tlsOptions = {
  key: clientKey,              // Client's private key
  cert: clientCert,            // Client's certificate
  ca: caCert,                  // CA certificate to verify the server
  crl: crl,                    // CRL to check server certificate revocation
  rejectUnauthorized: true,    // Reject unauthorized server certificates
  secureOptions: crypto.constants.SSL_OP_NO_TICKET, // Disable session tickets (no resumption)
  agent: false,                // Disable agent to avoid connection reuse
  enableTrace: true,           // Optional: Enable detailed trace to observe handshake behavior
};

// Create the client request to the mTLS server
const req = https.request({
  hostname: 'localhost',  // Server hostname
  port: 443,              // Server port
  method: 'GET',          // HTTP method
  path: '/',              // Request path
  agent: false,           // Disable agent for new connection every time (no reuse)
  ...tlsOptions           // Spread the TLS options
}, (res) => {
  let data = '';
  
  // Handle response data
  res.on('data', (chunk) => {
    data += chunk;
  });

  // Handle end of response
  res.on('end', () => {
    console.log('Response from server:', data);
  });
});

// Listen for the 'secureConnect' event
req.on('secureConnect', () => {
  const socket = req.socket;
  
  // Check if the connection was authorized
  if (socket.authorized) {
    console.log('TLS connection successfully authorized.');
    
    // Get the server's certificate
    const serverCert = socket.getPeerCertificate();
    console.log('Server Certificate Info:', serverCert);

    // You can add more logic to inspect the certificate if needed
  } else {
    console.log('TLS connection not authorized:', socket.authorizationError);
  }
});

// Handle errors (e.g., certificate revocation)
req.on('error', (err) => {
  console.error('Error:', err.message);
});

// Send the request
req.end();

Something like above ^^

and if it's authorized, then implement the CRL/certificate check by ourselves, assuming session resumption was done?
i.e validate the server/client’s certificate after the handshake, including CRL checks?? any sample implementation/pkg to do CRL check by ourselves.

Basically, do i need to implement by myself? I was hoping nodejs takes care of it internally .

cc: @bnoordhuis any help/guidance is appreciated.

[RedYetiDev]

I've closed this in favor of nodejs/help#4495, as the help repo is probably a better place for this kind of question