SSL routines:ssl3_get_record:wrong version number

[mpalourdio]

Hello,

docker image : broker:4.157.1-bitbucket-server

We have installed the snyk broker on our Openshift instance (We do not have a token yet). Outbound connection to snyk is performed through our enterprise proxy (the url is whitelisted as expected)

But the broker fails because of SSL routines:ssl3_get_record:wrong version number

{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"brokerClientId":"7190f16f-8413-49fc-83e6-3d92880cbeab","msg":"generated broker client id","time":"2023-07-13T12:54:14.970Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"enabled":false,"msg":"checking for HA mode","time":"2023-07-13T12:54:14.970Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"enabled":true,"msg":"verifying if preflight checks are enabled","time":"2023-07-13T12:54:14.970Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"enabled":false,"msg":"checking for HA mode","time":"2023-07-13T12:54:14.971Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140403255646144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-07-13T12:54:16.238Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"attempt":0,"operation":"http check broker-server-status","timeout":100,"msg":"waiting for 100ms before next try","time":"2023-07-13T12:54:17.250Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140403255646144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-07-13T12:54:18.372Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"attempt":1,"operation":"http check broker-server-status","timeout":200,"msg":"waiting for 200ms before next try","time":"2023-07-13T12:54:19.387Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140403255646144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-07-13T12:54:20.576Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"attempt":2,"operation":"http check broker-server-status","timeout":400,"msg":"waiting for 400ms before next try","time":"2023-07-13T12:54:21.565Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140403255646144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-07-13T12:54:23.042Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":50,"error":{"name":"Error","message":"Error executing check with checkId broker-server-status","stack":"Error: Error executing check with checkId broker-server-status\n at HttpCheckService.run (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/client/checks/http/http-check-service.js:33:19)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at async retry (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/client/retry/exponential-backoff.js:7:16)\n at async executePreflightChecks (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/client/checks/index.js:28:29)\n at async Object.module.exports [as client] (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/client/index.js:33:37)\n at async Object.main (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/index.js:40:12)\n at async module.exports (/home/node/.npm-global/lib/n...
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"url":"https://broker.snyk.io","serverId":"","msg":"broker client is connecting to broker server","time":"2023-07-13T12:54:24.074Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"rulesCount":110,"msg":"loading new rules","time":"2023-07-13T12:54:24.075Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"port":"8000","msg":"local server is listening","time":"2023-07-13T12:54:24.146Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":30,"rulesCount":1,"msg":"loading new rules","time":"2023-07-13T12:54:24.147Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-8659b74568-zk2pr","pid":1,"level":50,"type":"TransportError","description":404,"msg":"Failed to connect to broker server","time":"2023-07-13T12:54:24.528Z","v":0}

Running the docker image outside of Openshift leads to the same error.
The proxy configuration is OK, because running this from the node cli works as expected from the container itself

const request = require('request');
request('https://broker.snyk.io/healthcheck', function (error, response, body) {
...   console.error('error:', error);
...   console.log('statusCode:', response && response.statusCode);
...   console.log('body:', body); 
... });

Response

> error: null
statusCode: 200
body: {"ok":true,"version":"4.155.0"}

Thanks

[pavel-snyk]

Hey @mpalourdio,

it looks like you try to access the proxy using HTTPS instead of HTTP.
Could you provide more information about the envvars you specified and link this GitHub issue, so we can take a look on it closer?
https://support.snyk.io/hc/en-us/requests/new

Thanks

[aarlaud]

The preflight checks actually do not use request but Axios instead. So might be something else going on here.

[mpalourdio]

Hi,

Sorry for my late reply (holidays). I wanted to send a request, but I do not have a Snyk Organization ID for the moment. We'll be onboarded next week. Before that, I wanted to anticipate the installation :/

FWIW, I have just set the HTTP_PROXY, not HTTPS_PROXY (setting both does the same anyway)

[mpalourdio]

Hello,

The token has been provided. Now the trace, when testing the connection from snyk to our broker is

{"name":"snyk-broker","hostname":"bitbucket-server-broker-7f68598b54-l4mvk","pid":1,"level":50,"url":"/projects?limit=1000","requestId":"5a8aa753-31fc-4d2f-9a8d-6ca7fae3c03d","streamingID":"ace7f09b-49bc-44d4-925a-e4d6be3c2bde","maskedToken":"a192-...-53cf","hashedToken":"XXXXXXXXXXXXXXXXXXXXXXx","transport":"polling","httpUrl":"https://git.our-domin.ch/outils/git/rest/api/1.0/projects?limit=1000","userAgentHeaderSet":true,"authHeaderSetByRuleAuth":true,"error":{"name":"Error","message":"tunneling socket could not be established, statusCode=503","stack":"Error: tunneling socket could not be established, statusCode=503\n at ClientRequest.onConnect (/home/node/.npm-global/lib/node_modules/snyk-broker/node_modules/tunnel-agent/index.js:166:19)\n at addChunk (node:internal/streams/readable:315:12)\n at readableAddChunk (node:internal/streams/readable:289:9)\n at Socket.Readable.push (node:internal/streams/readable:228:10)\n at TCP.onStreamRead (node...
{"name":"snyk-broker","hostname":"bitbucket-server-broker-7f68598b54-l4mvk","pid":1,"level":30,"url":"/projects?limit=1000","requestMethod":"GET","requestHeaders":{"connection":"close","x-real-ip":"10.7.129.228","x-forwarded-host":"broker-snyk-server-v2.default","x-forwarded-port":"5000","host":"broker-snyk-server-v2-10.broker-snyk-server-v2-headless.default.svc.cluster.local:5000","accept":"application/json","snyk-request-id":"dd7c46cc-5b10-40c0-ab29-fba0532d01fe"},"requestId":"dd7c46cc-5b10-40c0-ab29-fba0532d01fe","streamingID":"bba69f7e-e956-4430-a30d-a3b3b188d433","maskedToken":"a192-...-53cf","hashedToken":"XXXXXXXXXXXXXXXXXXX","transport":"polling","msg":"received request over websocket connection","time":"2023-08-15T09:56:56.374Z","v":0}

Note that we have set too
NO_PROXY=*.our-domain.ch

Because we need to bypass our proxy to reach our-domain.ch

[mpalourdio]

Update,
NO_PROXY=.our-domain.ch (without the wildcard) seems to have fixed the access

We still have the followings traces at the very start, but it seems OK anyway. So not sure if this is relevant or hiding something weird.

{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"accept":"tf,yaml,yml,json,tpl","msg":"Injecting Accept rules for IAC extensions - Possible values tf, yaml, yml, json, tpl","time":"2023-08-15T10:32:59.612Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"accept":"true","msg":"Injecting Accept rules for Code/Git","time":"2023-08-15T10:32:59.613Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"version":"4.158.1","msg":"running in client mode","time":"2023-08-15T10:32:59.614Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"brokerClientId":"XXXXXXXXXXXXXXXXXXXXXXXXx","msg":"generated broker client id","time":"2023-08-15T10:32:59.614Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"enabled":false,"msg":"checking for HA mode","time":"2023-08-15T10:32:59.614Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"enabled":true,"msg":"verifying if preflight checks are enabled","time":"2023-08-15T10:32:59.614Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":30,"enabled":false,"msg":"checking for HA mode","time":"2023-08-15T10:32:59.615Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140206196926400:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-08-15T10:33:00.784Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"attempt":0,"operation":"http check broker-server-status","timeout":100,"msg":"waiting for 100ms before next try","time":"2023-08-15T10:33:01.757Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140206196926400:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-08-15T10:33:02.884Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"attempt":1,"operation":"http check broker-server-status","timeout":200,"msg":"waiting for 200ms before next try","time":"2023-08-15T10:33:03.958Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140206196926400:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-08-15T10:33:05.206Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"attempt":2,"operation":"http check broker-server-status","timeout":400,"msg":"waiting for 400ms before next try","time":"2023-08-15T10:33:06.235Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":40,"retryCount":3,"errorMessage":"write EPROTO 140206196926400:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","url":"https://broker.snyk.io/healthcheck","msg":"retrying request x 3 ","time":"2023-08-15T10:33:07.687Z","v":0}
{"name":"snyk-broker","hostname":"bitbucket-server-broker-fd7fc79cd-xrvxj","pid":1,"level":50,"error":{"name":"Error","message":"Error executing check with checkId broker-server-status","stack":"Error: Error executing check with checkId broker-server-status\n at executeHttpRequest (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/client/checks/http/http-executor.js:35:15)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at async Object.check (/home/node/.npm-global/lib/node_modules/snyk-broker/dist/lib/client/checks/http/index.js:21:20)"},"msg":"Unexpected error when executing checks","time":"2023-08-15T10:33:08.702Z","v":0}

[pavel-snyk]

@mpalourdio, thanks for keeping us updated.
The first failing traces belong to preflight check feature. Under the hood we use axios library that struggles with proxies. We're working on the task to replace this library (no ETA yet).

If the issue is solved on your side, we can close the issue.

[mpalourdio]

Thanks for feedback. I am confident this will be ok now.