SSL problem on Intel Celeron N3350 #12691
Comments
|
/cc @nodejs/crypto ? |
|
Can I transfer the issue without duplicating? |
|
@vejo He did not suggest a transfer to another repository, he just requested feedback from the crypto team 😃 |
|
I can't reproduce this issue with the attached programs. I tested it with Node-v7.9.0 on Linux and Windows with i7-6700K (Skylake). The issue of #9594 was confirmed on that machine. #9594 is a rare bug and caused by a specific type of private keys. You can generate several new certificate secret keys and try to test with them. If the error is still occurs even if another certificate key is used, the issue would be caused by another reason. |
|
Maybe I'm wrong with the generalization 'Skylake' and the assumption 'CVE-2016-7055'.
I will go on testing with different client certificates. |
|
The problem does not depend on key values. I have exchanged the server key and tested with different client keys, the problem is stable with the Acer Spin SP111-31 (Celeron N3350) test system. Modified test code: test2.zip |
|
Additional test results for SSL (as client with client certificate) on the Celeron N3350 system, which might depend on different SSL implementation:
|
|
Is a test without client cert also failed? |
|
Test without client cert: also fails with the same error message, as long as either server or client runs on the Celeron. But it works, when cipher is restricted to ECDHE-RSA-AES256-SHA384. Test with http: no problem |
|
So your test results suggest the issue is caused by a cipher suite from client. They show that
How is other following ciphers? They are all included in a default cipher list in Node.
[Edit: two more ciphers was added to OK] |
|
And please remove client cert auth for test simplicity. |
|
Here is the result: Test code: test3.zip |
|
Your tests shows that there are issues in SHA-1 and SHA256 computation but not SHA-384. const crypto = require('crypto');
const sha1 = crypto.createHash('sha1');
const sha256 = crypto.createHash('sha256');
const sha384 = crypto.createHash('sha384');
const text = 'hello world';
sha1.update(text);
sha256.update(text);
sha384.update(text);
// sha1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
console.log('sha1: ', sha1.digest('hex'));
// sha256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
console.log('sha256: ', sha256.digest('hex'));
//sha384: fdbd8e75a67f29f701a4e040385e2e23986303ea10239211af907fcbb83578b3e417cb71ce646efd0819dd8c088de1bd
console.log('sha384: ', sha384.digest('hex'));Looking at the spec of https://ark.intel.com/products/95598/Intel-Celeron-Processor-N3350-2M-Cache-up-to-2_4-GHz, it has AES-NI feature but AVX does not seems to be supported. There is a possibility that openssl assembler build in node would leads this issue. I'm now building node binary of Windows without using openssl asm. Is your windows 64bit version? If not, please tell me it. |
|
Here is a node binary of Windows 64bit without asm support at the latest master branch(8.0.0-pre). A openssl command (openssl-cli.exe) is also included for a tool of the further investigation. Please test with this node.exe. |
|
Result of hasing script: SHA256 is wrong |
|
Result with node v8.0.0-pre is fine! |
|
The initial hint to processor-openssl incompatibility came from an antivirus expert. He listed following processors:
Possibly these processors also are affected, but I don't know how to check the specs. |
|
Could you try to run the test on node-7.9.0 with setting the following environment? It would disable avx functionalities. |
|
After |
|
Thanks. It proves that the issue occurs on the cpu that has no avx support. It needs to investigate the issues comes from Node or OpenSSL but unfortunately I do not have such cpu now to test. Probably it takes some time. That environment is a tentative workaround. Please use it until the issue is resolved. |
|
Shigeki, thanks a lot for your expert aid! |
|
One more information. The reason why we went for the Intel Celeron was, that on one computer in the field (the Acer Spin) nodejs crashed at launch - but the latest nodejs version could start. So there must have been a change between v6.6.0 and v6.7.0, that fixed the startup problem on the Celeron, but also could have opened up the SHA256 malfunction. |
|
@vejo We've made several tests on other Intel cpus but the issue have not been reproduced yet. See the current summary in nodejs/build#704 (comment). In order to identify if the issue is caused by OpenSSL or Node, I've just made openssl command binary from the original openssl sources in the here attached openssl.zip . Please test the following command to see if sha256 hash is the same value. If it returns the right value, please test it with the openssl-cli.exe command included in zip file of #12691 (comment) which is built with the openssl sources included in Node. If this value is wrong, the issue is caused by Node. |
|
The SHA256 is correct with both
|
Sorry, I will make new binaries for both of them later and ask you to test them again. |
|
I made two binaries again. |
|
The result (openssl.exe with its dlls in subdir \o): |
|
Thanks. The result shows that the issue is caused by Node. I will investigate this further. |
|
@vejo this has not landed on v6 or v4. With version 4 being in maintenance mode we only do releases for severe bugs and security vulnerabilities. /cc @nodejs/crypto would you consider this a severe bug? |
|
@MylesBorins Yes, I think this should be backported. It effectively makes a part of our API useless on certain processors so I consider this a severe bug. If we decide not to fix it, we should add a note about the problem to the website. |
|
Thank you for calling backporting into question - let me argue: Nowadays computing a hash value is used as basic mathematics. Until v6.6.0 node.exe just crashed on this Intel Celeron platform - this was bad, but it's got much worse: I do understand, that not every bugfix has to be made in every version. Not for us - knowing the reason we now will be able to do a workaround, even without an official fix. |
|
This seems very reasonable. We should plan a v4 release in the near future
and do an audit for similar experience breaking bugs.
Thanks for taking the time to respond.
…On Wed, Jun 14, 2017, 5:13 PM vejo ***@***.***> wrote:
@MylesBorins <https://github.com/mylesborins>
Thank you for calling backporting into question - let me argue:
Nowadays computing a hash value is used as basic mathematics.
Everybody expects, that the result of 1 + 1 is 2, on every computer system.
That is also true for hash functions, except that this cannot be simply
verified by mental calculation.
So, just delivering a wrong result is really, really dangerous.
More even, as it concerns CPU architecture, that is hitting the market
just now.
Until v6.6.0 node.exe just crashed on this Intel Celeron platform - this
was bad, but it's got much worse:
Since v6.7.0 node is starting, running, but computing wrong results.
Within our software solution it means, that a small percentage of the
systems in the field are storing invalid chained data onto disk.
Every day, undetected, in a legal relevant function.
I do understand, that not every bugfix has to be made in every version.
But what is "LTS" actually worth, if it not even guarantees correct SHA256
values?
For Boron and Argon in my opinion a fix is inevitable.
Or - at least - let node crash, like it did up to v6.6.0.
Not for us - knowing the reason we now will be able to do a workaround,
even without an official fix.
But for those developers already having chased an unexplainable SSL
problem in their program the last three long nights.
Please, let me know your decision.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12691 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAecV7hPurNBUBLIBfIp9oRe4xoVdFkkks5sEE0CgaJpZM4NJ3Id>
.
|
|
Thank you! |
|
@vejo just wanted to add that that's a really informative answer, exactly what we need to make a decision about whether it makes sense to include this in a v4.x release. Thanks a lot! |
|
@MylesBorins @gibfahn This can be fixed by upgrading openssl-1.0.2l. I labelled LTS-watch in #13233 but is not yet backported. Did I missed something? |
|
If we backport this to v4 and v6, we might want to add a prominent warning about this issue. As far as I know, the new releases will compute different checksums depending on the processor model, which can cause severe problems in a variety of applications. |
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl/openssl#3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl/openssl#3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
Here a quick and dirty workaround for SHA256 for node 4.x. } |
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl/openssl#3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl/openssl#3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl/openssl#3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Works's fine af! Thanks for the genius solution! |
We ran into a SSL problem on an Intel Skylake (even with the latest nodejs versions), which might be caused by an invalid mac calculation. The error occurs on different systems using this processor.
Here one sample error message:
Attached are programs server.js and client.js, with which the problem can be reproduced, if either server or client runs on an Intel Celeron N3350: test.zip
The problem might be in conjunction with "RSA, DH, ECDH computation failures due to CVE-2016-7055 on the Intel CPU of Broadwell or later #9594", but this issue was closed as solved.
The text was updated successfully, but these errors were encountered: