Hi Ben, On Friday, November 23, 2012 11:25:09 PM UTC, Ben Noordhuis wrote: > > > Ah, you're running into a quirk of the language. `(SSL_OP_ALL | > SSL_OP_NO_TICKET) >>> 0` would have given you the expected result, > 0x80004000 instead of -0x7fffc000. > > That's not very intuitive though so I've landed a fix in [1]. > > Regarding the error queue, you've been looking at it. > CleartextStream._pusher() calls into OpenSSL; if the operation fails, > it calls ERR_print_errors(bio) and turns the BIO into an exception. > > Maybe Haraka truncates the exception message? > > [1] https://github.com/joyent/node/commit/335f208 >
Thanks very much for this.
Due to the tip off from the OpenSSL developer that the code causing the
failure was an unusual place for TLS to be failing - I realised that I had
some
Haraka plugins that were using crypto.createDecipher and I found that
if I commented one of the plugins out, then the TLS issue went away.
I then managed to find a single encrypted string within a message that if I
attempt to decipher using an incorrect key (caught with try/catch), then TLS
fails with the error on the next write to the socket.
I've spent the last few hours trying in vain to create a simple test case
to no
avail (Haraka compiles each plugin using vm.runInNewContext and has quite
a complicated call chain), but I have managed to create a test case that
fails
in a similar way using process.nextTick().
Please see attached. You'll need a self-signed certificate to run it:
$ openssl s_client -port 3030
secured!
decrypt error: TypeError: DecipherFinal fail
client error: 2799312:error:0606506D:digital envelope
routines:EVP_DecryptFinal_ex:wrong final block
length:../deps/openssl/openssl/crypto/evp/evp_enc.c:460:
stack trace: Error: 2799312:error:0606506D:digital envelope
routines:EVP_DecryptFinal_ex:wrong final block
length:../deps/openssl/openssl/crypto/evp/evp_enc.c:460:
at CleartextStream._pusher (tls.js:656:24)
at SlabBuffer.use (tls.js:199:18)
at CleartextStream.CryptoStream._push (tls.js:483:33)
at SecurePair.cycle (tls.js:880:20)
at CleartextStream.CryptoStream.write (tls.js:267:13)
at tls.createServer.next
(/usr/lib/node_modules/Haraka/testcase_new.js:19:20)
at /usr/lib/node_modules/Haraka/testcase_new.js:24:17
at Object.exports.doit
(/usr/lib/node_modules/Haraka/testcase_new.js:41:13)
at /usr/lib/node_modules/Haraka/testcase_new.js:23:21
at process.startup.processNextTick.process._tickCallback (node.js:244:9)
As you can see from this; the OpenSSL error appears to be getting truncated
somewhere else.
Kind regards,
Steve.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
tls_testcase.js
Description: JavaScript source
