Skip to content

Differences in --use-openssl-ca behavior between v16 and v18 #43560

Closed
Closed
Differences in --use-openssl-ca behavior between v16 and v18#43560
Labels
opensslIssues and PRs related to the OpenSSL dependency.tlsIssues and PRs related to the tls subsystem.
@ryanmoran

Description

@ryanmoran
ryanmoran
opened on Jun 24, 2022

Version

v16.15.1 and v18.4.0

Platform

Linux 1d9fcb4cd3b7 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Dockerfile

FROM ubuntu:jammy

RUN apt-get -qqy update \
  && apt-get -qqy install curl xz-utils

RUN mkdir /node-16 && mkdir /node-18
RUN curl -sL -o /node-16/node.tar.xz https://nodejs.org/dist/v16.15.1/node-v16.15.1-linux-x64.tar.xz
RUN curl -sL -o /node-18/node.tar.xz https://nodejs.org/dist/v18.4.0/node-v18.4.0-linux-x64.tar.xz

RUN cd /node-16 && tar --strip-components=1 -xJf ./node.tar.xz && rm /node-16/node.tar.xz
RUN cd /node-18 && tar --strip-components=1 -xJf ./node.tar.xz && rm /node-18/node.tar.xz

COPY test.js /tmp/test.js

test.js

const https = require('https');

https.get('https://google.com', (res) => {
	res.setEncoding('utf8');
	let rawData = '';
	res.on('data', (chunk) => { rawData += chunk; });
	res.on('end', () => {
		console.log(rawData);
	});
}).on('error', (e) => {
	console.error(e);
});

Given a directory with the 2 files listed above, complete the following steps:

  1. Run docker build -t node-openssl .
  2. Run docker run -it node-openssl bash
  3. Run export _PATH=$PATH
  4. Run export PATH=/node-16/bin:$_PATH
  5. Run which node && node -v && node --use-openssl-ca /tmp/test.js and see the following output: 
    /node-16/bin/node
v16.15.1
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
  6. Run export PATH=/node-18/bin:$_PATH
  7. Run which node && node -v && node --use-openssl-ca /tmp/test.js and see the following output: 
    /node-18/bin/node
v18.4.0
Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1533:34)
    at TLSSocket.emit (node:events:537:28)
    at TLSSocket._finishInit (node:_tls_wrap:947:8)
    at ssl.onhandshakedone (node:_tls_wrap:728:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

How often does it reproduce? Is there a required condition?

I've been able to get this to reproduce every time. The --use-openssl-ca flag is required to trigger it.

What is the expected behavior?

I expect the behavior between v16 and v18 to be the same.

What do you see instead?

v18 appears to be unable to verify the CA using the OpenSSL CA store:

Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1533:34)
    at TLSSocket.emit (node:events:537:28)
    at TLSSocket._finishInit (node:_tls_wrap:947:8)
    at ssl.onhandshakedone (node:_tls_wrap:728:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

Additional information

I can get the request to verify correctly if I explicitly set SSL_CERT_DIR=/etc/ssl/certs in the environment.

For example:

$ which node && node -v && SSL_CERT_DIR=/etc/ssl/certs node --use-openssl-ca /tmp/test.js
/node-18/bin/node
v18.4.0
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

Metadata

Metadata

Assignees

No one assigned

    Labels

    opensslIssues and PRs related to the OpenSSL dependency.tlsIssues and PRs related to the tls subsystem.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions