raspberry pi - bundled openssl seems to be misconfigured on ARM platforms

[TooTallNate]

I'm testing with a basic https "hello world" server:

var fs = require('fs');
var https = require('https');

var options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('server.crt')
};

https.createServer(options, handler).listen(443, function () {
  console.log(this.address());
});

function handler (req, res) {
  res.end('Hello World\n');
}

This server doesn't seem to establish a proper SSL connection:

---

curl

☮ ~ (master) ↝ curl -vk https://n8.io:4433
* About to connect() to n8.io port 4433 (#0)
*   Trying 71.202.229.6...
* connected
* Connected to n8.io (71.202.229.6) port 4433 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to n8.io:4433 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to n8.io:4433 

---

openssl s_client

☮ ~ (master) ↝ openssl s_client -host n8.io -port 4433
CONNECTED(00000003)
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
verify return:1
12715:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:

I can give any additional information necessary, and/or I can give someone SSH access to the machine if they'd like to dive in further.

/cc @bnoordhuis @indutny @tjfontaine

[tjfontaine]

Should also mention that when using the system provided openssl the handshake is successful, but it has its own separate issues

[stolsma]

It works with google:

pi@raspberrypi ~ $ curl -vk https://google.nl
* About to connect() to google.nl port 443 (#0)
*   Trying 2a00:1450:4007:801::1017...
* connected
* Connected to google.nl (2a00:1450:4007:801::1017) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-RC4-SHA
* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.nl
*        start date: 2012-08-16 12:30:54 GMT
*        expire date: 2013-06-07 19:43:27 GMT
*        subjectAltName: google.nl matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: google.nl
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.nl/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Aug 2012 07:30:31 GMT
< Expires: Sat, 22 Sep 2012 07:30:31 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.nl/">here</A>.
</BODY></HTML>
* Connection #0 to host google.nl left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

but it fails with connecting to my ISP site (that has HTTPS support).

pi@raspberrypi ~ $ curl -vk https://xs4all.nl
* About to connect() to xs4all.nl port 443 (#0)
*   Trying 2001:888:0:1::888...
* connected
* Connected to xs4all.nl (2001:888:0:1::888) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
pi@raspberrypi ~ $

pi@raspberrypi ~ $ openssl s_client -host xs4all.nl -port 443
CONNECTED(00000003)
1074373840:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
pi@raspberrypi ~ $

Looks like the PI system openssl doesn't support all protocols or encryption methods....

Damn, it would be nice if the nodejs bundled openssl code would compile in the Rasp Pi.... :-(

[TooTallNate]

@stolsma This issue is talking about the bundled openssl. It compiles for me without problem, so I'm not sure what you mean. The system openssl is unsupported.

[stolsma]

@TooTallNate Hmmm, node compiles (when I do ./configure instead of ./configure --shared-openssl) but it crashes when I try to use the crypt and ssl functions. Are you cross-compiling or are you compiling on a Rasp PI?

[indutny]

I need one Pi to help you guys resolve it

[bnoordhuis]

I need one Pi to help you guys resolve it

3.141593 to a first approximation?

[indutny]

Thanks, I almost found bug's source now... but it seems that I need a little bit more details

[indutny]

Btw, node isn't really suported at Pi atm, AFAIK it works fine only at E.

[stolsma]

@TooTallNate W00t! You are tha bomb!!! The patches work!

I'm testing now the following instructions to compile Node 0.8.8 for the Raspberry PI (https://gist.github.com/3301813). I hope that that will help other people!!

Nathan, again, thanks a lot!!

[TooTallNate]

Fixed.