I just noticed the `AuthenticationToken` is used here, so it's not related to #16064. The root cause is only that the prebuilt C++ add-on might have a different CA cert store path with the local env.
Thanks, Yunze On Wed, Feb 22, 2023 at 10:30 PM Yunze Xu <y...@streamnative.io> wrote: > > Hi Enrico and Nicolo, > > The Node.js client is based on the C++ client so it requires the C++ Add-on. > [1] > > For 1.7.0 or earlier, when users install the client, the `npm install > pulsar-client` command builds the add-on. It means they have to > install the C++ compiler. For 1.8.0 or later, we have provided the > prebuilt C++ add-on. However, the prebuilt C++ add-on depends on > libcurl, whose CA cert store path is determined when building the > libcurl. > > Before 1.8.0, the Node.js client depends on C++ client 2.x.y, which > does not include #16064 [2] , which fixes the CVE. Before #16064, the > libcurl does not verify the peer, so it would lead to the CVE. > > ```c++ > curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); > ``` > > You can find a more detailed explanation here [3]. In short, when > users install the Node.js client using the prebuilt C++ add-on, the CA > cert store path is fixed but it could be different in a different OS. > So we have to specify the CA cert store path via the > tlsTrustCertsFilePath config now. > > To prevent the code changes, maybe we have to fallback to the old ways > to install the Node.js client, i.e. building the C++ add-on in users' > local env. > > [1] https://nodejs.org/api/addons.html#c-addons > [2] https://github.com/apache/pulsar/pull/16064 > [3] > https://github.com/apache/pulsar-client-cpp/issues/184#issuecomment-1420509146 > > > Thanks, > Yunze > > On Wed, Feb 22, 2023 at 6:10 PM Enrico Olivelli <eolive...@gmail.com> wrote: > > > > The problem reported by Nicolò seems a real show stopper > > -1 (binding) > > > > Is there any volunteer on fixing the problem ? > > > > I think that most of Production users use TLS and this problem prevent > > anyone to upgrade from 1.7.x to 1.8.x > > > > Enrico > > > > Il giorno mer 22 feb 2023 alle ore 10:33 Nicolò Boschi > > <boschi1...@gmail.com> ha scritto: > > > > > > Yes, I'm on MacOS > > > > > > Adding the explicit path to the system CA worked, thanks. > > > > > > I wonder why it wasn't needed in 1.7.0 and now it's required in 1.8.1. > > > This can be problematic for users because the client upgrade requires code > > > changes and redeployment. > > > Maybe it's a regression from 1.8.0, but I think that we need to get that > > > fixed in 1.8.1 > > > > > > Nicolò Boschi > > > > > > > > > Il giorno mer 22 feb 2023 alle ore 10:17 Baodi Shi <ba...@apache.org> ha > > > scritto: > > > > > > > Hi, @Nicolò Boschi <boschi1...@gmail.com> > > > > > > > > Is your system macOS(arm64)? > > > > > > > > Maybe you should set tlsTrustCertsFilePath: > > > > > > > > const client = new Pulsar.Client({ > > > > tlsTrustCertsFilePath:'/etc/ssl/cert.pem', > > > > }); > > > > > > > > > > > > > > > > > > > > Thanks, > > > > Baodi Shi > > > > > > > > > > > > 在 2023年2月22日 15:59:28 上,Nicolò Boschi <boschi1...@gmail.com> 写道: > > > > > > > >> Hi, > > > >> > > > >> I'm having issues while validating the fix related to the hostname > > > >> verification: https://github.com/apache/pulsar-client-cpp/pull/126 > > > >> My usecase is with a valid TLS certificate signed by a CA (not a > > > >> self-signed one). > > > >> > > > >> My code is very simple (see below): it creates a client with token > > > >> auth + > > > >> TLS and sends some messages. > > > >> > > > >> It works well with node client 1.7.0 with cpp client 3.1.2 > > > >> It fails with node client 1.8.0 (as expected) > > > >> It still fails with the rc: 1.8.1-rc.1 > > > >> > > > >> (I'm installing the dependency with "npm i pulsar-client@1.8.1-rc.1 > > > >> --pulsar_binary_host_mirror= > > > >> https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/"; > > > >> > > > >> The error I'm seeing is this one: > > > >> > > > >> [INFO][ClientConnection:388] Connected to broker > > > >> [ERROR][ClientConnection:488] Handshake failed: certificate verify > > > >> failed > > > >> (SSL routines, tls_process_server_certificate) > > > >> [INFO][ClientConnection:1600] Connection closed with ConnectError > > > >> > > > >> Note that setting `tlsValidateHostname: true` "resolves" the problem, > > > >> however it's not acceptable as you know. > > > >> > > > >> I'm pretty sure that it's related to the cpp client dependency, however > > > >> I'm > > > >> not very familiar with it and how it's bundled in the node client >= > > > >> 1.8.0 > > > >> Is there a way to verify if the bundled cpp client is actually the > > > >> expected one? > > > >> > > > >> > > > >> > > > >> This is the code snippet: > > > >> ``` > > > >> const tokenStr = asToken; > > > >> const pulsarUri = pulsarUrl; > > > >> const topicName = asTopic; > > > >> > > > >> const auth = new Pulsar.AuthenticationToken({ token: tokenStr }); > > > >> const client = new Pulsar.Client({ > > > >> serviceUrl: pulsarUri, > > > >> authentication: auth, > > > >> operationTimeoutSeconds: 30, > > > >> tlsCertificateFilePath: "", > > > >> tlsValidateHostname: false > > > >> }); > > > >> Pulsar.Client.setLogHandler((level, file, line, message) => { > > > >> console.log('[%s][%s:%d] %s', Pulsar.LogLevel.toString(level), file, > > > >> line, message); > > > >> }); > > > >> > > > >> const producer = await client.createProducer({ > > > >> topic: topicName, > > > >> }) > > > >> > > > >> for (let i = 0; i < 10; i += 1) { > > > >> await producer.send({ > > > >> data: Buffer.from("nodejs-message-" + i), > > > >> }); > > > >> console.log("send message " + i); > > > >> } > > > >> await producer.flush(); > > > >> await producer.close(); > > > >> await client.close(); > > > >> > > > >> ``` > > > >> > > > >> Thanks, > > > >> Nicolò Boschi > > > >> > > > >> > > > >> Il giorno mer 22 feb 2023 alle ore 08:02 Yunze Xu > > > >> <y...@streamnative.io.invalid> ha scritto: > > > >> > > > >> +1 (binding) > > > >> > > > >> * Verified checksum and signature > > > >> > > > >> * Build from source > > > >> > > > >> * Install from npm on Ubuntu 20.04 > > > >> > > > >> * Run an end-to-end test with custom `tlsTrustCertsFilePath` config on > > > >> > > > >> StreamNative cloud with OAuth2 authentication > > > >> > > > >> > > > >> BTW, from the discussion here [1], it would be better to use > > > >> > > > >> https://downloads.apache.org/pulsar/KEYS as the KEYS, > > > >> > > > >> > > > >> [1] https://lists.apache.org/thread/f9w430oqpm0g72b1htwbtc8y3mfqf8r6 > > > >> > > > >> > > > >> Thanks, > > > >> > > > >> Yunze > > > >> > > > >> > > > >> On Mon, Feb 20, 2023 at 5:36 PM Nozomi Kurihara <nkuri...@apache.org> > > > >> > > > >> wrote: > > > >> > > > >> > > > > >> > > > >> > +1 (binding) > > > >> > > > >> > > > > >> > > > >> > * checked license headers > > > >> > > > >> > * verified checksum and signature > > > >> > > > >> > * install from npm and run producer/consumer > > > >> > > > >> > > > > >> > > > >> > Thanks, > > > >> > > > >> > Nozomi > > > >> > > > >> > > > > >> > > > >> > 2023年2月17日(金) 19:12 Baodi Shi <ba...@apache.org>: > > > >> > > > >> > > > > >> > > > >> > > Hi everyone, > > > >> > > > >> > > > > > >> > > > >> > > This is the first release candidate for Apache Pulsar Node.js > > > >> > > client, > > > >> > > > >> > > version 1.8.1. > > > >> > > > >> > > > > > >> > > > >> > > It fixes the following > > > >> > > > >> > > issues: > > > >> > > > >> > > > > > >> > > > >> > > > >> https://github.com/apache/pulsar-client-node/pulls?q=is%3Apr+label%3Arelease%2Fv1.8.1+is%3Aclosed > > > >> > > > >> > > > > > >> > > > >> > > Please download the source files and review this release candidate: > > > >> > > > >> > > - Download the source package, verify shasum and asc > > > >> > > > >> > > - Follow the README.md to build and run the Pulsar Node.js client. > > > >> > > > >> > > > > > >> > > > >> > > The release candidate package has been published to the npm > > > >> > > > >> > > registry:https://www.npmjs.com/package/pulsar-client/v/1.8.1-rc.1 > > > >> > > > >> > > You can install it by `npm i pulsar-client@1.8.1-rc.1 > > > >> > > > >> > > --pulsar_binary_host_mirror= > > > >> > > > >> > > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/` > > > >> <https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/> > > > >> > > > >> <https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/> > > > >> > > > >> > > <https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/> > > > >> > > > >> > > and verify the package. > > > >> > > > >> > > > > > >> > > > >> > > The vote will be open for at least 72 hours. It is adopted by > > > >> > > majority > > > >> > > > >> > > approval, with at least 3 PMC affirmative votes. > > > >> > > > >> > > > > > >> > > > >> > > Source files: > > > >> > > > >> > > > > > >> > > > >> > > > >> https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/pulsar-client-node-1.8.1-rc.1/ > > > >> > > > >> > > > > > >> > > > >> > > Pulsar's KEYS file containing PGP keys we use to sign the > > > >> > > > >> > > release:https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > > >> > > > >> > > > > > >> > > > >> > > SHA-512 checksum: > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > >> ed89b4ad467d3cb75ed37096b35d91b872cd93d36cd953512fc7edcb75dbac5162592f6f51b5ab08f26b3dca1c57a3d3fe7a5e4f109551c66943a5b09392d51a > > > >> > > > >> > > apache-pulsar-client-node-1.8.1.tar.gz > > > >> > > > >> > > The tag to be voted upon: > > > >> > > > >> > > v1.8.1-rc.1(3e843f0) > > > >> > > > >> > > https://github.com/apache/pulsar-client-node/releases/tag/v1.8.1-rc.1 > > > >> > > > >> > > > > > >> > > > >> > > Please review and vote on the release candidate #1 for the version > > > >> > > > >> > > 1.8.1, as follows: > > > >> > > > >> > > [ ] +1, Approve the release > > > >> > > > >> > > [ ] -1, Do not approve the release (please provide specific > > > >> > > comments) > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > >> > > Thanks, > > > >> > > > >> > > Baodi Shi > > > >> > > > >> > > > > > >> > > > >> > > > >>
