search

brianc / node-postgres

PostgreSQL client for node.js.
https://node-postgres.com
MIT License
12.33k stars 1.23k forks source link

SSL broken with Node 10 #1633

Open jmargaglione opened 6 years ago

jmargaglione commented 6 years ago

It looks like nodejs 10 has moved to openssl-1.1.0, which breaks my code with pg. Running on anything below node-10.0.0 works great.

Here is the error I get from Node when trying to fetch some rows from Postgres 10.1) on Ubuntu 16.04:

Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
    at Object.createSecureContext (_tls_common.js:124:17)
    at Object.exports.connect (_tls_wrap.js:1131:48)
    at Socket.<anonymous> (/home/outlaw/outlawpractice/node_modules/pg/lib/connection.js:89:23)
    at Object.onceWrapper (events.js:275:13)
    at Socket.emit (events.js:182:13)
    at Socket.EventEmitter.emit (domain.js:442:20)
    at addChunk (_stream_readable.js:280:12)
    at readableAddChunk (_stream_readable.js:265:11)
    at Socket.Readable.push (_stream_readable.js:220:10)
    at TCP.onread (net.js:638:20)
error:  Error: Connection terminiated due to connection timeout
    at Connection.con.once (/home/outlaw/outlawpractice/node_modules/pg/lib/client.js:179:21)
    at Object.onceWrapper (events.js:275:13)
    at Connection.emit (events.js:182:13)
    at Connection.EventEmitter.emit (domain.js:442:20)
    at Socket.<anonymous> (/home/outlaw/outlawpractice/node_modules/pg/lib/connection.js:76:10)
    at Socket.emit (events.js:182:13)
    at Socket.EventEmitter.emit (domain.js:442:20)
    at TCP._handle.close [as _onclose] (net.js:598:12)
error:  Error: Connection terminiated due to connection timeout

Error on pgool2 host:

LOG:  pool_ssl: "SSL_read": "ssl handshake failure"
ERROR:  unable to read data from frontend
DETAIL:  socket read failed with an error "Success"
sehrope commented 6 years ago

After an unrelated fix to one of the tests I'm able to get the entire suite running on node v10. That includes some basic SSL testing as well.

Based on the error messages this sounds like the SSL handshake is being rejected because the key size is too small (i.e. it thinks it insecure). I'd suggest trying out connecting directly to the underlying DB to see if the issue is on the pgpool-II side. If either the pgpool-II server or the database itself is quite old, it may have been initialized with a smaller key size. The fix would be to generate and install a new larger key.

Alternatively you may be able to override the OpenSSL security level to allow smaller insecure keys. Check out https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html. Though you're likely better off upgrading the private keys.

jmargaglione commented 6 years ago

I generated these keys about 3 months ago based on the PostgreSQL docs for 10.0, so I think they are good. Command line psql to the pgpool server works fine with the given keys on the same server/user/env as the Node 10 host.

I just bought a signed key from GoDaddy, lets see what that does.

sehrope commented 6 years ago

It might also be SSL renegotiation related. There's an old thread from 2015 of someone getting a similar error from pgpool (same error message): https://www.postgresql.org/message-id/flat/561FD644.6040201%40aklaver.com#561FD644.6040201@aklaver.com

If you're able to isolate the problem would help to know the pgpool and openssl versions too.