Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node 8 - OpenSSL client compatibility after DST Root CA X3 expiration (Let's Encrypt) #40282

Closed
jbeaudoin11 opened this issue Oct 1, 2021 · 3 comments
Closed

Node 8 - OpenSSL client compatibility after DST Root CA X3 expiration (Let's Encrypt) #40282

jbeaudoin11 opened this issue Oct 1, 2021 · 3 comments

Comments

@jbeaudoin11
Copy link

jbeaudoin11 commented Oct 1, 2021
edited
Loading

Version

v8.17.0

Platform

Linux 5.4.0-87-generic #98~18.04.1-Ubuntu SMP Wed Sep 22 10:45:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

tls

What steps will reproduce the bug?

Any request done to a website signed by Let's Encrypt cross-signed certificate chain.

const https = require("https");
https.get("https://letsencrypt.org/", (res) => { console.log("PASS"); })

How often does it reproduce? Is there a required condition?

A cross-signed certificate chain must be in use.
For now the only one i know is the one used by Let's Encrypt.

What is the expected behavior?

PASS

What do you see instead?

Error: certificate has expired
    at TLSSocket.<anonymous> (_tls_wrap.js:1116:38)
    at emitNone (events.js:106:13)
    at TLSSocket.emit (events.js:208:7)
    at TLSSocket._finishInit (_tls_wrap.js:643:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38)

Additional information

Of Course I know that Node 8 is not supported anymore, but I'm working with an old code base. We tried multiple times to upgrade, but a memory leak, that only present it self on newer version, is stopping us each time.

The problem is with openssl, we need to add the flag X509_V_FLAG_TRUSTED_FIRST :

node/deps/openssl/openssl/crypto/x509/x509_vpm.c

Lines 535 to 545 in f85ec19

static const X509_VERIFY_PARAM default_table[] = {
{
"default", /* X509 default parameters */
0, /* Check time */
0, /* internal flags */
0, /* flags */
0, /* purpose */
0, /* trust */
100, /* depth */
NULL, /* policies */
vpm_empty_id},

From master branch :

node/deps/openssl/openssl/crypto/x509/x509_vpm.c

Lines 474 to 485 in 35dc386

static const X509_VERIFY_PARAM default_table[] = {
{
"default", /* X509 default parameters */
0, /* Check time */
0, /* internal flags */
X509_V_FLAG_TRUSTED_FIRST, /* flags */
0, /* purpose */
0, /* trust */
100, /* depth */
-1, /* auth_level */
NULL, /* policies */
vpm_empty_id},

I've tested it and it works after the change. I'm not familiar with the PR process in place, but I can do one if you want me to.

Anyways... Since the fix is extremely simple and probably affects a significant amount of people, is it possible to make an exception ? If not, we can still build from source and run our own version of Node I guess 🤷‍♂️.
@mscdex
Copy link
Contributor

mscdex commented Oct 1, 2021
edited
Loading

Node.js v8.x is no longer supported. You can check this repo for information on the support timelines for node.js branches.

@mscdex mscdex closed this as completed Oct 1, 2021
@dentarg dentarg mentioned this issue Oct 8, 2021
Closed
@Giszmo
Copy link

Giszmo commented Oct 9, 2021

But how about node 16? I have the same issue there. Is that another issue? When will it be fixed?

@jbeaudoin11
Copy link
Author

@Giszmo The flag is in since Node.js V10.x, i think you are having another issue not related to this.

@tay-j-kohn tay-j-kohn mentioned this issue Mar 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mscdex @Giszmo @jbeaudoin11