Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

createCredentials error in node 0.8.10 #4059

Closed
jfbouzereau opened this Issue · 6 comments

2 participants

@jfbouzereau

In node 0.8 crypto is no more able to prompt the user for the password to read the private key.
In node 0.6 the same code worked fine. It may be that standard input and output are not
treated the same way ?

Here is a small example and the corresponding log file.

var fs = require("fs");
var crypto = require("crypto");
var https = require("https");

function process_request(req,res) { }

var options = {}
    options.key = fs.readFileSync("ssl.key");
    options.cert = fs.readFileSync("ssl.crt");
    options.ca = [fs.readFileSync("sub.class1.server.ca.pem.cer"),
                fs.readFileSync("ca.pem.cer")];
    options.requestCert = false;

var server = https.createServer(options,process_request)

server.listen(9400);
crypto.js:84
      c.context.setKey(options.key);
                ^
Error: error:0906406D:PEM routines:PEM_def_callback:problems getting password
    at Object.exports.createCredentials (crypto.js:84:17)
    at Server (tls.js:1062:28)
    at new Server (https.js:34:14)
    at Object.exports.createServer (https.js:49:10)
    at Object.<anonymous> (/home/ec2-user/cutanet/test.js:16:20)
    at Module._compile (module.js:449:26)
    at Object.Module._extensions..js (module.js:467:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.runMain (module.js:492:10)

I've tracked down the problem to deps/openssl/openssl/crypto/ui/ui_lib.c
in the UI_process function. The ui_write_string call returns an error.
Beyond that point, we are in the openssl library, which I cannot easily debug...

@bnoordhuis

Confirmed, thanks.

@piscisaureus It's because of 1c88c3b, we don't compile in the openssl ui functions anymore. I'm afraid we'll have to undo that.

@jfbouzereau You can use the patch below as a workaround:

diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index 2acb0ac..3f4a7fa 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -21,7 +21,6 @@
         'OPENSSL_NO_RDRAND',
         'OPENSSL_NO_GOST',
         'OPENSSL_NO_HW_PADLOCK',
-        'OPENSSL_NO_TTY',
       ],
       'sources': [
         'openssl/ssl/bio_ssl.c',
@@ -576,7 +575,6 @@
         'openssl/crypto/ts/ts_verify_ctx.c',
         'openssl/crypto/txt_db/txt_db.c',
         'openssl/crypto/ui/ui_compat.c',
-        'openssl/crypto/ui/ui_dummy.c',
         'openssl/crypto/ui/ui_err.c',
         'openssl/crypto/ui/ui_lib.c',
         'openssl/crypto/ui/ui_openssl.c',

EDIT: Or this patch for v0.8.

diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index 37aff68..6ece3ee 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -19,7 +19,6 @@
         # Work around brain dead SunOS linker.
         'OPENSSL_NO_GOST',
         'OPENSSL_NO_HW_PADLOCK',
-        'OPENSSL_NO_TTY'
       ],
       'sources': [
         'openssl/ssl/bio_ssl.c',
@@ -536,7 +535,6 @@
         'openssl/crypto/ui/ui_compat.c',
         'openssl/crypto/ui/ui_err.c',
         'openssl/crypto/ui/ui_lib.c',
-        'openssl/crypto/ui/ui_dummy.c',
         'openssl/crypto/ui/ui_openssl.c',
         'openssl/crypto/ui/ui_util.c',
         'openssl/crypto/uid.c',
@jfbouzereau

Ok thanks for confirming the problem. I will use the suggested patch as a temporary workaround, but I think a fix in node 0.8 is obviously needed. Should I close this issue ?

@bnoordhuis

Should I close this issue ?

No, we'll close it once it's resolved.

@jfbouzereau

To avoid compiling a non standard version of node, I fixed the problem by prompting the password in the application and passing it as one of the createCredentials options.

@bnoordhuis

@piscisaureus Ping. Roll back?

@bnoordhuis bnoordhuis closed this issue from a commit
@bnoordhuis bnoordhuis Revert "Disable OpenSSL UI"
This reverts commit 1c88c3b.

It breaks the "read a password from stdin" functionality that OpenSSL provides.

Fixes #4059, #4143.

Conflicts:

	deps/openssl/openssl.gyp
28b0cc0
@bnoordhuis

Reverted in 28b0cc0. Reading a password should work again in the next release, v0.8.13.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.