Did you want me to log this as an issue on Github joyent/node? I've spent some more time looking at this today and I'm wondering if this bug is related to https://github.com/joyent/node/issues/1719 in that the error is being left of the stack and incorrect picked up by the next OpenSSL call?
Otherwise it looks like the incorrect context object is being used somehow? Thanks, Steve. On Saturday, November 24, 2012 1:00:50 AM UTC, Steve Freegard wrote: > > Hi Ben, > > On Friday, November 23, 2012 11:25:09 PM UTC, Ben Noordhuis wrote: >> >> >> Ah, you're running into a quirk of the language. `(SSL_OP_ALL | >> SSL_OP_NO_TICKET) >>> 0` would have given you the expected result, >> 0x80004000 instead of -0x7fffc000. >> >> That's not very intuitive though so I've landed a fix in [1]. >> >> Regarding the error queue, you've been looking at it. >> CleartextStream._pusher() calls into OpenSSL; if the operation fails, >> it calls ERR_print_errors(bio) and turns the BIO into an exception. >> >> Maybe Haraka truncates the exception message? >> >> [1] https://github.com/joyent/node/commit/335f208 >> > > > Thanks very much for this. > > Due to the tip off from the OpenSSL developer that the code causing the > failure was an unusual place for TLS to be failing - I realised that I had > some > Haraka plugins that were using crypto.createDecipher and I found that > if I commented one of the plugins out, then the TLS issue went away. > > I then managed to find a single encrypted string within a message that if I > attempt to decipher using an incorrect key (caught with try/catch), then > TLS > fails with the error on the next write to the socket. > > I've spent the last few hours trying in vain to create a simple test case > to no > avail (Haraka compiles each plugin using vm.runInNewContext and has quite > a complicated call chain), but I have managed to create a test case that > fails > in a similar way using process.nextTick(). > > Please see attached. You'll need a self-signed certificate to run it: > > $ openssl s_client -port 3030 > secured! > decrypt error: TypeError: DecipherFinal fail > client error: 2799312:error:0606506D:digital envelope > routines:EVP_DecryptFinal_ex:wrong final block > length:../deps/openssl/openssl/crypto/evp/evp_enc.c:460: > > stack trace: Error: 2799312:error:0606506D:digital envelope > routines:EVP_DecryptFinal_ex:wrong final block > length:../deps/openssl/openssl/crypto/evp/evp_enc.c:460: > > at CleartextStream._pusher (tls.js:656:24) > at SlabBuffer.use (tls.js:199:18) > at CleartextStream.CryptoStream._push (tls.js:483:33) > at SecurePair.cycle (tls.js:880:20) > at CleartextStream.CryptoStream.write (tls.js:267:13) > at tls.createServer.next > (/usr/lib/node_modules/Haraka/testcase_new.js:19:20) > at /usr/lib/node_modules/Haraka/testcase_new.js:24:17 > at Object.exports.doit > (/usr/lib/node_modules/Haraka/testcase_new.js:41:13) > at /usr/lib/node_modules/Haraka/testcase_new.js:23:21 > at process.startup.processNextTick.process._tickCallback > (node.js:244:9) > > As you can see from this; the OpenSSL error appears to be getting truncated > somewhere else. > > Kind regards, > Steve. > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
