-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS fails reading self-signed certificate on node 4.2.5+ #5100
Comments
@diegossilveira I tested with the v4 branch, so quite possible that that is the reason. |
there were three commits that landed on 4.2.5 that touched TLS. Perhaps @indutny has some insight |
/cc @jasnell |
It is definitely caused by that PFX commit. Reverting it fixes the issue. Will look more deeply into it. |
This is where the issue comes from: a2c1799#diff-801e3948990f4965a8ea4aca4a423864L928 . Going to investigate the best way to fix it right now. |
Ok, so I have several thoughts about this. There are two conflicting things in my opinion:
From stability point of view, we should not really break anything unless there is security need for this, and that commit is absolutely breaking change (as we have just figured out). From sanity point of view, there is no way in PKCS12 ( @dbkup is what cc @nodejs/crypto @nodejs/ctc @nodejs/lts |
Should be fixed by #5109 |
OK, let's get this fixed in the next LTS release after next week's security
|
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100
@jasnell do you think we should break this behavior in next major release? I mean should we make |
@indutny Nice reaction time, thank you :). I've since checked my certs once more. I have a local CA which was used for signing the client/server certificates in question. Seems to me that this behaviour should be supported for use in an internal network, i.e. the certs are used in a controlled environment. I have also tried generating another set of certs using openssl 1.0.1f, suspecting a compatibility issue of some sorts, getting other errors, like UNABLE_TO_VERIFY_LEAF_SIGNATURE and DEPTH_ZERO_SELF_SIGNED_CERT (on v4.2.4) so I guess I'm not doing something right. I will check your update for my case when it's available. |
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100
This is a follow-up fix for half-broken test in 23196fe, and an attempt to recover some dignity after breaking CI.
This is a follow-up fix for half-broken test in 23196fe, and an attempt to recover some dignity after breaking CI. PR-URL: nodejs#5144 Reviewed-By: Rich Trott <rtrott@gmail.com>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100 PR-URL: nodejs#5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
This is a follow-up fix for half-broken test in 23196fe, and an attempt to recover some dignity after breaking CI. PR-URL: nodejs#5144 Reviewed-By: Rich Trott <rtrott@gmail.com>
Rename the tests appropriately alongside mentioning the subsystem Also, make a few basic changes to make sure the tests conform to the standard test structure 1. Renamed test-regress-GH-io-1068 to test-tty-stdin-end 2. Renamed test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror 3. Renamed test-regress-GH-node-9326 to test-kill-segfault-freebsd 4. Renamed test-timers-regress-nodejsGH-9765 to test-timers-setimmediate-infinite-loop 5. Renamed test-tls-pfx-nodejsgh-5100-regr to test-tls-pfx-authorizationerror 6. Renamed test-tls-regr-nodejsgh-5108 to test-tls-tlswrap-segfault Fixes: nodejs#19105 Refs: nodejs#19105 Refs: https://github.com/nodejs/node/blob/master/doc/guides/writing-tests.md#test-structure
Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: #19332 Fixes: #19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: #19332 Fixes: #19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: #19332 Fixes: #19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: #19332 Fixes: #19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
I'm having an issue with ssl certificate validation using the
tls
module. The server is started with:The client:
My issue is that I get
tlsSocket.authorizationError
SELF_SIGNED_CERT_IN_CHAIN on v4.2.5+ but not on older versions. Here's my output on a Windows machine, but the same happens on an Ubuntu server.The
auth->
line is printed to console with thetlsSocket.authorizationError
parameter when a client connects. In the case of a successful connect this field isnull
.Tested down to 0.12.9, all versions read the certificate without issues.
The text was updated successfully, but these errors were encountered: