tls ClearOut fails with SSL_accept() = -1

38 views
Skip to first unread message

Astro

unread,
Aug 22, 2011, 8:08:12 PM8/22/11
to nod...@googlegroups.com
Hi

Due to tls.Server and tls.connect() not being able to "STARTTLS" after a
custom plaintext prologue, we're using a kludge[1] previously discussed
on this list.

Now TLS capabilities shall be extended to our XMPP server code. However,
despite creating the SecurePair with requestCert=false and
rejectUnauthorized=false, the encrypted stream is being closed
immediately after receiving the client's handshake. Googling for error
-1 (see below) tells me that verification failed, though I've ensured
that verify_mode = SSL_VERIFY_NONE.


Output from node compiled with -DSSL_PRINT_DEBUG, started with
NODE_DEBUG=tls:

[0x223f050] SSL: SSL_accept:Start want read
TLS: encrypted._pull
TLS: cleartext._pull
TLS: cleartext._push
TLS: reading from clearOut
[0x223f050] SSL: SSL_accept:ClearOut want read
TLS: encrypted._push
TLS: reading from encOut
[0x223f050] BIO: BIO_read:EncOut want read. should retry 8
socket.on 'data', <Buffer 16 03 01 00 cc 01 00 00 c8 03 01 4e 52 ea 5f 29 18
2d f6 c9 72 fd 43 24 4b 26 08 3e dd d8 73 c4 bf 84 38 8c 86 36 20 25 03
e6 a6 00 00 5a c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00
84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00
9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0
02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02
01 00 00 44 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 01 00 02 00 03
00 04 00 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 0d 00 0e 00 0f
00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 23 00 00>
}
TLS: encrypted.write called with 209 bytes
TLS: clearIn data
TLS: encrypted._pull
TLS: writing from encIn
TLS: drain
TLS: cleartext._pull
TLS: cleartext._push
TLS: reading from clearOut
[0x223f050] SSL: SSL_accept:ClearOut failed: (1:-1)
error:00000001:lib(0):func(0):reason(1)
TLS: encrypted._push
cleartext.encrypted.on 'close'


Has anyone seen this before?
Astro

[1] https://github.com/astro/node-xmpp/blob/superfeedr_c2s/lib/starttls.js

Julien Genestoux

unread,
Aug 24, 2011, 11:41:46 AM8/24/11
to nodejs
Up!

Astro

unread,
Aug 26, 2011, 2:12:21 PM8/26/11
to nod...@googlegroups.com
Hi

I solved that now. We were calling crypto.createCredentials() ourselves,
before starttls.js did it a second time with the result of that.

Maybe the library should throw an exception unless the parameter has the
{ key: ..., cert: ..., ca: ... } format, but I won't stumble over that
again.


Astro

Reply all
Reply to author
Forward
0 new messages