-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Root certificate is prioritized over SNICallback context in HTTPS Server #54235
Comments
Edit: this issue doesn't seem strictly related to Let's Encrypt. I was able to create a locally generated cert that is prioritized. I think this highlights that this is maybe not a bug but a poorly documented feature of OpenSSL? If anyone knows anything about certificate prioritization, more information would be greatly appreciated. I'm working on a Node.js regression test too that hopefully demonstrates it. |
Depending on the content of a cert, it seems that OpenSSL will prioritize the root cert over the context returned by SNICallback. This behavior is unexpected. This PR adds a test that demonstrates the behavior. Ideally there is a fix, or a explanation for this behavior we can add to the docs. Fixes: nodejs#54235
Depending on the content of a cert, it seems that OpenSSL will prioritize the root cert over the context returned by SNICallback. This behavior is unexpected. This PR adds a test that demonstrates the behavior. Ideally there is a fix, or a explanation for this behavior we can add to the docs. Fixes: nodejs#54235 PR-URL: nodejs#54251
@nodejs/http @nodejs/net any ideas? |
I did a test using const app = uWS.SSLApp({
key_file_name: "example.com-key.pem",
cert_file_name: 'example.com.pem',
}).addServerName('test.cloud.com', {
key_file_name: 'test.cloud.com.key',
cert_file_name: 'test.cloud.com.crt'
}).get('/*', (res, req) => {
res.end('Hello World!');
}).listen(port, (token) => {
if (token) {
console.log('Listening to port ' + port);
} else {
console.log('Failed to listen to port ' + port);
}
}); Requests to this app will get the correct certificates back regardless of the certificate content. I think this helps point the issue back towards Node.js and its usage of OpenSSL. |
I did a debug step-through using the test I wrote in #54251 here is what I found: Starting off with the SNICallback flow:
Stepping through
|
I am considering a fix to |
@indutny do you happen to know whats going on here? I'm still trying to determine if there is a better way to implement |
I guess a code change may not be necessary here. As far as I can tell this is about the OpenSSL Verification configuration (https://docs.openssl.org/3.0/man1/openssl-verification-options/). I think I could try using these options to get the certs to play nice. I'd still appreciate someone with more OpenSSL experience to weigh in here whether this is a bug or not. Thank you! |
Version
22.5.1
Platform
Subsystem
tls, https
What steps will reproduce the bug?
Edit: I've added a test that reproduces the issue here: #54251
Old Example Repro
Output:
How often does it reproduce? Is there a required condition?
This bug only seems to happen when the root cert/key pair is from Let's Encrypt. We ran into this issue with a Digicert first, but were able to reproduce using a locally generated certificate too.I've further narrowed down the conditions. It seems that certain certificates (those with better CA or maybe created using an ext) will be prioritized over others without those things. It is not directly related to a certain provider. The reproduction demonstrates that the
test/fixtures/keys/ca5-cert.pem
is prioritized overtest/fixtures/keys/agent1-cert.pem
.What is the expected behavior? Why is that the expected behavior?
We expect the correct certificate to be used every time.
Additional information
Other issues/prs I reviewed:
I also asked Claude AI about this to see if it could help me along and it replied with some interesting points:
Maybe that'll help folks who understand SNI better 🤷♂️
The text was updated successfully, but these errors were encountered: