-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential SSL/TLS issue when remapping #5
Comments
The plot sickens - I get this on a Debian box with our own build of v0.12.0:
|
Can we map this stage by stage? Is it currently configed to use tls? |
I'm not sure - to be honest I can't quite figure out how to force TLS instead of optionally falling back to SSLv3. There are constants that can be used but the documentation is quite poor |
In nodejs/node-v0.x-archive#5360 the solution seems to be to force SSLv3 but that is obviously not something we would want to do on every request.
We can do this with the request({ url: 'https://google.com', agentOptions: { secureOptions: constants.SSL_OP_NO_TLSv1_2 }}, callback); I got a list of all TLS and SSL-related constants by requiring the
I could potentially write something that retries requests with one of these options if an error is returned from the request such as the ECONNRESET error described in the bug I referenced earlier. However, turning this into a proper, configurable feature would be quite troublesome and time consuming, so it would be ideal at least for now to think of something that will work as well as we need it to. There are more options we could provide to |
@nosmo Could you give me precise instructions for how to recreate the error you encountered? |
I reproduced the first error by remapping distributed.deflect.ca to deflect.ca and then running: I got the error in #5 (comment) by doing the same on a Debian 7 system with node v0.12.0. This error shouldn't be a priority, the first one seems more consistently of concern. |
I've tried all the combinations of the recommendations I found in the node issue referenced earlier and have had no luck with fixing the requests you mentioned. I must confess I'm at a loss for how to handle these issues. |
I have some good news. This error is maybe possibly almost definitely linked to the This object currently only sets the encoding to null and headers: {Origin: 'Bundler'} - it doesn't set Host (it seems) and it doesn't set any of the SSL flags. By manually hacking in more options mid-function I'm no longer getting these errors (but I am getting some other failure conditions instead). |
I haven't had a lot of time to look into this, but I did insert some logging calls to see what's going on a bit, and I've noticed that when I request |
Just so I don't forget given that we discussed this on IRC - this is probably a problem with Node's cipher list. TLS negotiation begins and then seems to fail before a cipher is agreed upon. Sounds remarkably similar to this issue: http://www.fitter-happier.net/tech/node.js-and-openSSL/. Unfortunately this isn't really a problem that we can expect server operators to fix, rather it is something that needs to be changed in Node. I'll allocate some time to investigate this. |
I think it's safe to close this for now. |
I believe there is an SSL problem somewhere in Bundler's remapping - despite extensive debugging, I can't figure out where. When not using remaps, there are zero issues with any of the domains in question.
In my branch (#4) I have added deflect.ca as an origin for distributed.deflect.ca, in addition to fulltimeinter.net as an origin for nosmo.me. The latter works just fine, but the former fails to remap as follows:
Deflect hosts' SSL setups are not exactly unique but they have some specifics - most obviously disabling SSLv2 and SSLv3 completely. There is a restricted but still quite generous cipher list in use also. In this particular case deflect.ca redirects to https://deflect.ca. The HTTPS redirect itself is not an issue as I've tested this in other places.
It looks like this could be related to nodejs/node-v0.x-archive/issues/5360, but I'm not certain. Signs definitely point that way, as using other sites that claimed to be experiencing similar issues as a remap also produces this error.
Getting this with node v0.10.33 and v0.12.0.
The text was updated successfully, but these errors were encountered: