Can I see the TLS cert of a remote website in a worker

francis.turner · June 5, 2019, 5:19am

I’m playing with workers to test connectivity to things. Using the fetch command I can get HTML (or JSON etc.) from a remote website. E.g. one of the examples has the worker getting https://workers-tooling.cf/demos/static/html

One of the things I want to do is view is the TLS certificate of the remote host in the connection that got that data.

In node.js I can do this by 'require’ing the tls library and then doing some tweaking of callbacks from getting the data, but you can’t require tls or other node fundamentals in this environment.

With cloudflare workers I need to use the fetch command but the cloudflare response object doesn’t seem to have the hooks to view the TLS certificate. In the request.cf object this stuff is present but that’s for the request to the worker as I understand it.

Am I missing/misunderstanding something in the documentation? or is this not possible?

Thanks in advance

Francis

sandro · June 5, 2019, 5:43am

Dont take my response as a definitive answer, as my experience with Fetch is somewhat shaky, but from everything a quick search revealed it really would seem as if there is no dedicated access to that information. You seem to be able to include a client certificate as part of the request (“credential” in Fetch’es lingo) but not access the server certificate.

https://fetch.spec.whatwg.org/#response-class

Only possibility I could imagine right now is that it is injected as meta data into the headers object. Have you checked there? But thats mere guessing.

Again, no definitive answer

francis.turner · June 5, 2019, 7:32am

Thanks for trying to help

Looking at the definitions in the URL you posted headers is just the HTTP headers. I’m going to try and enumerate them on a real fetch to confirm

Edit did so.

Example result has no TLS stuff
cf-ray: 4e20708fcbffc538-ORD
content-length: 342content-type: text/html;
charset=UTF-8
date: Wed, 05 Jun 2019 07:30:10 GMT
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
server: cloudflare
set-cookie: __cfduid=dfd9aa7666c9db243e606de662ee9acbd1559719810; expires=Thu, 04-Jun-20 07:30:10 GMT; path=/; domain=.workers-tooling.cf; HttpOnly

sandro · June 5, 2019, 7:34am

That was my assumption. In that case it really looks like it is not possible to access the server certificate in this context.

sandro · June 5, 2019, 7:38am

Maybe check out the environment settings object as well

https://html.spec.whatwg.org/multipage/webappapis.html#https-state