v0.10.x issues with ECDSA cipher suites

nodejs / node

Node.js JavaScript runtime ✨🐢🚀✨

https://nodejs.org

Other

108.07k stars 29.83k forks source link

v0.10.x issues with ECDSA cipher suites #6496

Closed terinjokes closed 7 years ago

terinjokes commented 8 years ago

Version: 0.10.44
Platform: OS X / Linux
Subsystem: node_crypto.cc

I've noticed an issue with Node.js 0.10.x failing to support ECDSA cipher suites while using the spdy module, to connect to api.cloudflare.com. I get the following sad error message: Travis CI

digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:../deps/openssl/openssl/crypto/evp/p_lib.c:279

The Server Hello selects the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite, which is included in the Client Hello.

This patch from @indutny resolves the issue when I patch 0.10.44. https://gist.github.com/indutny/4e92f5006bdeef4010339b03cc98168e

evanlucas commented 8 years ago

/cc @nodejs/crypto

indutny commented 8 years ago

This is a manifestation of an old ERR_... stack bug. While the fix is easy and straightforward, it is an open question of how to act on this from the perspective of @nodejs/lts . Please weigh in here!

jasnell commented 8 years ago

@indutny ... Do you have a particular recommendation?

jasnell commented 8 years ago

Looking at the patch it seems simple enough, just not sure what the priority is or when we'll actually be cutting a new v0.10.

indutny commented 8 years ago

@jasnell certainly, I'd love to help user with the problem and land this patch to v0.10 . It will probably require us to release a new v0.10, though.

jasnell commented 8 years ago

No objections from me! :) On Apr 30, 2016 8:01 PM, "Fedor Indutny" notifications@github.com wrote:

@jasnell https://github.com/jasnell certainly, I'd love to help user with the problem and land this patch to v0.10 . It will probably require us to release a new v0.10, though.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/nodejs/node/issues/6496#issuecomment-216011578

terinjokes commented 8 years ago

Since this is in a library, I'm likely to need to keep the workaround for the rest of the maintenance period. However, I'll appreciate the fix if there's ever another 0.10.x release.

jasnell commented 8 years ago

I'll bring this up on the LTS WG call and see if we can nail down a set plan for a new 0.10. I think we have a couple other pending items so we might be able to just spin one out.

@indutny ... Can you open a PR against v0.10-staging and label it lts-agenda? On Apr 30, 2016 8:42 PM, "Terin Stock" notifications@github.com wrote:

Since this is in a library, I'm likely to need to keep the workaround for the rest of the maintenance period. However, I'll appreciate the fix if there's ever another 0.10.x release.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/nodejs/node/issues/6496#issuecomment-216012800

shigeki commented 8 years ago

Sorry I cannot attend LTS call tomorrow and I'm +1 for this fix. But I would like to ask one question. Why removing ECDSA cipher suites in client hello in v0.10 is not a solution?

jasnell commented 8 years ago

@nodejs/lts: Given that v0.10 is coming up to EOL and it is unlikely that we will be cutting a new v0.10 release, I recommend closing this.