This repository has been archived by the owner. It is now read-only.

raspberry pi - bundled openssl seems to be misconfigured on ARM platforms #3906

Closed
TooTallNate opened this Issue Aug 23, 2012 · 10 comments

Comments

Projects
None yet
5 participants

I'm testing with a basic https "hello world" server:

var fs = require('fs');
var https = require('https');

var options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('server.crt')
};

https.createServer(options, handler).listen(443, function () {
  console.log(this.address());
});

function handler (req, res) {
  res.end('Hello World\n');
}

This server doesn't seem to establish a proper SSL connection:


curl

☮ ~ (master) ↝ curl -vk https://n8.io:4433
* About to connect() to n8.io port 4433 (#0)
*   Trying 71.202.229.6...
* connected
* Connected to n8.io (71.202.229.6) port 4433 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to n8.io:4433 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to n8.io:4433 

openssl s_client

☮ ~ (master) ↝ openssl s_client -host n8.io -port 4433
CONNECTED(00000003)
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
verify return:1
12715:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:

I can give any additional information necessary, and/or I can give someone SSH access to the machine if they'd like to dive in further.

/cc @bnoordhuis @indutny @tjfontaine

Should also mention that when using the system provided openssl the handshake is successful, but it has its own separate issues

stolsma commented Aug 23, 2012

It works with google:

pi@raspberrypi ~ $ curl -vk https://google.nl
* About to connect() to google.nl port 443 (#0)
*   Trying 2a00:1450:4007:801::1017...
* connected
* Connected to google.nl (2a00:1450:4007:801::1017) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-RC4-SHA
* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.nl
*        start date: 2012-08-16 12:30:54 GMT
*        expire date: 2013-06-07 19:43:27 GMT
*        subjectAltName: google.nl matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: google.nl
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.nl/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Aug 2012 07:30:31 GMT
< Expires: Sat, 22 Sep 2012 07:30:31 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.nl/">here</A>.
</BODY></HTML>
* Connection #0 to host google.nl left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

but it fails with connecting to my ISP site (that has HTTPS support).

pi@raspberrypi ~ $ curl -vk https://xs4all.nl
* About to connect() to xs4all.nl port 443 (#0)
*   Trying 2001:888:0:1::888...
* connected
* Connected to xs4all.nl (2001:888:0:1::888) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
pi@raspberrypi ~ $

pi@raspberrypi ~ $ openssl s_client -host xs4all.nl -port 443
CONNECTED(00000003)
1074373840:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
pi@raspberrypi ~ $

Looks like the PI system openssl doesn't support all protocols or encryption methods....

Damn, it would be nice if the nodejs bundled openssl code would compile in the Rasp Pi.... :-(

@stolsma This issue is talking about the bundled openssl. It compiles for me without problem, so I'm not sure what you mean. The system openssl is unsupported.

stolsma commented Aug 23, 2012

@TooTallNate Hmmm, node compiles (when I do ./configure instead of ./configure --shared-openssl) but it crashes when I try to use the crypt and ssl functions. Are you cross-compiling or are you compiling on a Rasp PI?

Owner

indutny commented Aug 23, 2012

I need one Pi to help you guys resolve it

Member

bnoordhuis commented Aug 23, 2012

I need one Pi to help you guys resolve it

3.141593 to a first approximation?

Owner

indutny commented Aug 23, 2012

Thanks, I almost found bug's source now... but it seems that I need a little bit more details

Owner

indutny commented Aug 23, 2012

Btw, node isn't really suported at Pi atm, AFAIK it works fine only at E.

stolsma commented Aug 23, 2012

@TooTallNate W00t! You are tha bomb!!! The patches work!

I'm testing now the following instructions to compile Node 0.8.8 for the Raspberry PI (https://gist.github.com/3301813). I hope that that will help other people!!

Nathan, again, thanks a lot!!

Fixed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.