Bug 228135 - www/node 10.0.0: SSL routines:tls_process_key_exchange:wrong signature length on i386 only
Summary: www/node 10.0.0: SSL routines:tls_process_key_exchange:wrong signature length...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bradley T. Hughes
Depends on:
Reported: 2018-05-10 22:16 UTC by Marcin Cieślak
Modified: 2018-05-14 21:41 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (bhughes)


Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Cieślak 2018-05-10 22:16:32 UTC
node 10.0 built with default options as of r464137
10.4-RELEASE-p9 jail on 11.1-STABLE host

Same JS script:

# cat /tmp/fetch.js 
const https = require('https');

https.get('https://registry.npmjs.org/', (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {

}).on('error', (e) => {
# node /tmp/fetch.js 
{ Error: write EPROTO 704655488:error:1416D108:SSL routines:tls_process_key_exchange:wrong signature length:../deps/openssl/openssl/ssl/statem/statem_clnt.c:1693:

    at WriteWrap.afterWrite [as oncomplete] (net.js:835:14) errno: 'EPROTO', code: 'EPROTO', syscall: 'write' }

# node -p process.versions
{ http_parser: '2.8.0',
  node: '10.0.0',
  v8: '6.6.346.24-node.5',
  uv: '1.20.3',
  zlib: '1.2.11',
  ares: '1.12.0',
  modules: '64',
  nghttp2: '1.29.0',
  napi: '3',
  openssl: '1.1.0h',
  icu: '61.1',
  unicode: '10.0',
  cldr: '33.0',
  tz: '2018c' }

# { target_defaults: 
   { cflags: [],
     default_configuration: 'Release',
     defines: [],
      [ '/usr/local/include',
        '/usr/local/include' ],
      [ '-lz',
        '-licudata' ] },
   { asan: 0,
     build_v8_with_gn: false,
     coverage: false,
     debug_http2: false,
     debug_nghttp2: false,
     force_dynamic_crt: 0,
     host_arch: 'ia32',
     icu_gyp_path: 'tools/icu/icu-system.gyp',
     icu_small: false,
     llvm_version: '3.4',
     node_byteorder: 'little',
     node_debug_lib: false,
     node_enable_d8: false,
     node_enable_v8_vtunejit: false,
     node_install_npm: false,
     node_module_version: 64,
     node_no_browser_globals: false,
     node_prefix: '/usr/local',
     node_release_urlbase: '',
     node_shared: false,
     node_shared_cares: true,
     node_shared_http_parser: false,
     node_shared_libuv: true,
     node_shared_nghttp2: false,
     node_shared_openssl: false,
     node_shared_zlib: true,
     node_tag: '',
     node_target_type: 'executable',
     node_use_bundled_v8: true,
     node_use_dtrace: false,
     node_use_etw: false,
     node_use_openssl: true,
     node_use_perfctr: false,
     node_use_v8_platform: true,
     node_without_node_options: false,
     openssl_fips: '',
     openssl_no_asm: 1,
     shlib_suffix: 'so.64',
     target_arch: 'ia32',
     v8_enable_gdbjit: 0,
     v8_enable_i18n_support: 1,
     v8_enable_inspector: 1,
     v8_no_strict_aliasing: 1,
     v8_optimized_debug: 0,
     v8_promise_internal_field_count: 1,
     v8_random_seed: 0,
     v8_trace_maps: 0,
     v8_typed_array_max_size_in_heap: 0,
     v8_use_snapshot: true,
     want_separate_host_toolset: 0 } }
Comment 1 Bradley T. Hughes freebsd_committer 2018-05-11 09:21:15 UTC
I can also reproduce this on my 11.1-RELEASE i386 jail on a 12.0-CURRENT host.
Comment 2 Bradley T. Hughes freebsd_committer 2018-05-11 09:56:54 UTC
I think I have a fix, I need to verify it on armv[67] and aarch64 first.
Comment 3 Bradley T. Hughes freebsd_committer 2018-05-11 11:22:49 UTC
The build broke on my arm jails, so I will need more time to work on it. I'll keep you posted.
Comment 4 Marcin Cieślak 2018-05-11 12:11:23 UTC
Can you share your idea? Do you think it's an upstream issue?

I hope it is not a 32-bit compatibility problem similar to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178881

I couldn't test unbundled OpenSSL in Poudriere because Python does not like the newest OpenSSL.
Comment 5 Bradley T. Hughes freebsd_committer 2018-05-11 12:18:47 UTC
The idea is to stop using the BSD-x86_64 no-asm config for everything. I had thought I managed to get the build working on all archs with this config, but it assumes a 64-bit arch, which of course breaks on i386 and 32-bit arm.

This is both an upstream issue and a port issue. Upstream, they only provide a BSD-x86_64 arch config, so the port is having to work around the lack of a 32-bit config by trying to re-use other configs, which doesn't completely work. Once I make sense of everything, I plan to open more upstream issues and pull requests to get the build into shape without the need for multiple patches in the port.

I have already reported the lack of a 32-bit BSD-x86 config: https://github.com/nodejs/node/issues/20326
Comment 6 commit-hook freebsd_committer 2018-05-13 08:22:01 UTC
A commit references this bug:

Author: bhughes
Date: Sun May 13 08:21:49 UTC 2018
New revision: 469781
URL: https://svnweb.freebsd.org/changeset/ports/469781

  www/node: fix SSL/TLS on i386

  The upgrade to v10.0.0 included significant changes to the OpenSSL
  dependency in Node.js, in particular how the build was configured.
  Upstream does not include a BSD-x86 config anymore, so the www/node port
  ended up using the BSD-x86_64 no-asm config for all builds except x86_64
  (which used the asm optimized config). This was a mistake, causing all
  32-bit archs to build OpenSSL configured for a 64-bit architecture, and
  it causes problems with SSL/TLS as described in PR 228135.

  Change the build config to not use BSD-x86_64 no-asm for 32-bit i386 and
  arm builds, falling back to the generic linux-elf configuration instead.
  Patches remove Linux specific libraries (-ldl) and keep the CFLAGS the
  same as the BSD config.

  PR:             228135
  Reported by:    Marcin Cie\xc5\x9blak <saper@saper.info>

Comment 7 Bradley T. Hughes freebsd_committer 2018-05-13 08:23:55 UTC
I just committed a fix, but I would appreciate if you could also test and confirm that it works for you as well. :)
Comment 8 Rob Belics 2018-05-13 17:07:50 UTC
(In reply to Bradley T. Hughes from comment #7)
About this same time, I updated node on two machines. One worked fine, the other, some time later, did not update. I don't know if this is related:

  cc '-DOPENSSL_NO_HW' '-DDSO_DLFCN' '-DHAVE_DLFCN_H' '-DNDEBUG' '-DOPENSSL_THREADS' '-DOPENSSL_NO_DYNAMIC_ENGINE' '-DOPENSSL_PIC' '-DOPENSSL_BN_ASM_PART_WORDS' '-DOPENSSL_IA32_SSE2' '-DOPENSSL_BN_ASM_MONT' '-DOPENSSL_BN_ASM_GF2m' '-DSHA1_ASM' '-DSHA256_ASM' '-DSHA512_ASM' '-DRC4_ASM' '-DMD5_ASM' '-DRMD160_ASM' '-DAES_ASM' '-DVPAES_ASM' '-DWHIRLPOOL_ASM' '-DGHASH_ASM' '-DECP_NISTZ256_ASM' '-DPADLOCK_ASM' '-DPOLY1305_ASM' '-DOPENSSLDIR="/etc/ssl"' '-DENGINESDIR="/dev/null"' '-DTERMIOS' -I../deps/openssl/openssl -I../deps/openssl/openssl/include -I../deps/openssl/openssl/crypto -I../deps/openssl/openssl/crypto/include -I../deps/openssl/openssl/crypto/modes -I../deps/openssl/config -I../deps/openssl/config/archs/linux-elf/asm -I../deps/openssl/config/archs/linux-elf/asm/include -I../deps/openssl/config/archs/linux-elf/asm/crypto -I../deps/openssl/config/archs/linux-elf/asm/crypto/include/internal  -pthread -Wall -Wextra -Wno-unused-parameter -m32 -Wall -O3 -pthread -DL_ENDIAN -fomit-frame-pointer -Wno-missing-field-initializers -Wno-old-style-declaration -O3 -fno-omit-frame-pointer  -MMD -MF /usr/ports/www/node/work/node-v10.1.0/out/Release/.deps//usr/ports/www/node/work/node-v10.1.0/out/Release/obj.target/openssl/deps/openssl/openssl/ssl/bio_ssl.o.d.raw -isystem /usr/local/include -O2 -pipe  -fstack-protector -isystem /usr/local/include -fno-strict-aliasing -c -o /usr/ports/www/node/work/node-v10.1.0/out/Release/obj.target/openssl/deps/openssl/openssl/ssl/bio_ssl.o ../deps/openssl/openssl/ssl/bio_ssl.c
warning: unknown warning option '-Wno-old-style-declaration'; did you mean
      '-Wno-out-of-line-declaration'? [-Wunknown-warning-option]
In file included from ../deps/openssl/openssl/ssl/bio_ssl.c:14:
In file included from ../deps/openssl/openssl/include/openssl/crypto.h:22:
In file included from ../deps/openssl/openssl/include/openssl/e_os2.h:13:
In file included from ../deps/openssl/openssl/include/openssl/opensslconf.h:1:
In file included from ../deps/openssl/openssl/include/../../config/opensslconf.h:9:
../deps/openssl/config/./opensslconf_asm.h:112:11: fatal error: 
      './archs/BSD-x86/asm/include/openssl/opensslconf.h' file not found
# include "./archs/BSD-x86/asm/include/openssl/opensslconf.h"
1 warning and 1 error generated.
gmake[3]: *** [deps/openssl/openssl.target.mk:801: /usr/ports/www/node/work/node-v10.1.0/out/Release/obj.target/openssl/deps/openssl/openssl/ssl/bio_ssl.o] Error 1
rm 85b29271a4bb91f75d9ce011e25110ea11ec22c1.intermediate
gmake[2]: *** [Makefile:87: node] Error 2
gmake[2]: Leaving directory '/usr/ports/www/node/work/node-v10.1.0'
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1

make[1]: stopped in /usr/ports/www/node
*** Error code 1
Comment 9 Bradley T. Hughes freebsd_committer 2018-05-13 17:56:48 UTC
Rob: that error shouldn't happen, since the port patches opensslconf_asm.h to comment out line 112 that includes "archs/BSD-x86/asm/include/openssl/opensslconf.h". See files/patch-deps_openssl_config_opensslconf__asm.h

Do you have any local modifications to your ports tree?
Comment 10 Rob Belics 2018-05-13 19:35:47 UTC
(In reply to Bradley T. Hughes from comment #9)
I have made no changes to this or portsnap in many years but I've used node for many years also. Can you suggest where I might look for anything that could affect this?
Comment 11 Marcin Cieślak 2018-05-13 19:47:23 UTC

I run into the same issue.

I think the port is patching only "no-asm" versions and this is "asm".

After "make patch" I have line 112 like this:

# include "./archs/BSD-x86/asm/include/openssl/opensslconf.h"

besides I don't think that commenting out "#elif" is useful - it should fall back to the last #else and will try to use some Linux stuff.

Besides we are using C compiler here, I think we should not use "//" comments...
Comment 12 commit-hook freebsd_committer 2018-05-13 20:30:40 UTC
A commit references this bug:

Author: bhughes
Date: Sun May 13 20:30:04 UTC 2018
New revision: 469828
URL: https://svnweb.freebsd.org/changeset/ports/469828

  www/node: fix build on i386

  Add patch files missing from r469781, which ensure that the Node.js
  build on i386 falls back to the linux-elf OpenSSL config.

  PR:		228135
  Reported by:	Marcin Cieslak <saper@saper.info>

Comment 13 Bradley T. Hughes freebsd_committer 2018-05-13 20:42:07 UTC
Thanks for the feedback, Rob and Marcin. Found out that I forgot to `svn add` several new patch files. They are committed now, please try again :)
Comment 14 Rob Belics 2018-05-14 00:05:53 UTC
(In reply to Bradley T. Hughes from comment #13)
That fixed it for me. Thanks for your work on all this.
Comment 15 Bradley T. Hughes freebsd_committer 2018-05-14 21:41:01 UTC
And thank you for taking the time to report it :) I'm closing this specific issue now, but will be submitting several changes upstream in the next few days and weeks.