Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL forwarder crashes on connect on Ubuntu 20.04 #240

Open
OlegSmelov opened this issue Sep 22, 2020 · 5 comments
Open

SSL forwarder crashes on connect on Ubuntu 20.04 #240

OlegSmelov opened this issue Sep 22, 2020 · 5 comments

Comments

@OlegSmelov
Copy link
Contributor

The crash is caused by eventmachine/eventmachine#926

The solution is to wait for eventmachine to be updated and release the new version of Invoker that depends on the new version.

Copying the comment from the issue:

I'm having this error with Invoker which uses EventMachine internally.

140207038160576:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:
invoker start [redacted].ini: ssl.cpp:173: SslContext_t::SslContext_t(bool, const string&, const string&): Assertion `e > 0' failed.

As a workaround, I've commented out start_http_proxy(InvokerHttpsProxy, 'https', options) in Invoker source.

@swrobel
Copy link
Collaborator

swrobel commented Sep 22, 2020

@OlegSmelov have you tested, and does Invoker work w/ latest EM? I thought for some reason we were locked to the version that we are because another dep required older EM ... but that decision was before my time working on the project so I'm not certain.

@OlegSmelov
Copy link
Contributor Author

Building against newer eventmachine alone doesn't work:

# build of current master with
# `s.add_dependency("eventmachine", "~> 1.2.7")`
# patched in gemspec

$ gem install invoker-1.5.8.gem
ERROR:  While executing gem ... (Gem::DependencyResolutionError)
    conflicting dependencies eventmachine (~> 1.0.0) and eventmachine (~> 1.2.7)
  Activated eventmachine-1.2.7
  which does not match conflicting dependency (~> 1.0.0)

  Conflicting dependency chains:
    invoker (= 1.5.8), 1.5.8 activated, depends on
    eventmachine (~> 1.2.7), 1.2.7 activated

  versus:
    invoker (= 1.5.8), 1.5.8 activated, depends on
    rubydns (~> 0.8.5), 0.8.5 activated, depends on
    eventmachine (~> 1.0.0)

  Gems matching eventmachine (~> 1.0.0):
    eventmachine-1.0.9.1

Newer versions of RubyDNS do not use EventMachine anymore, so I doubt they're compatible. It won't be as easy as I imagined after all.

@OlegSmelov
Copy link
Contributor Author

For context and workarounds:

I haven't tried it, but another workaround would be to use your own certificate and private key with Invoker. It seems to me that as long as we depend on the default certificate, this issue is bound to resurface every time security requirements are tightened.

@swrobel
Copy link
Collaborator

swrobel commented Sep 22, 2020

Newer versions of RubyDNS do not use EventMachine anymore, so I doubt they're compatible. It won't be as easy as I imagined after all.

yes, unfortunately I attempted a refactor at one point to use newer async-based RubyDNS and gave up as it was basically turning into a rewrite.

@nicobrenner
Copy link

nicobrenner commented Jan 21, 2021

@OlegSmelov thank you for the links about openssl configuration.

I had a similar issue in MacOS. Invoker would crash with a Bus Error and a stack trace (see screenshot below).

image

Apparently something having to do with openssl's start_tls and the eventmachine gem.

What worked for me was: installing openssl 1.0 alongside 1.1 (homebrew had automatically installed 1.1 and replaced 1.0 in the process), then re-installing ruby using rbenv and telling it to use openssl 1.0 (RUBY_CONFIGURE_OPTS="--with-openssl-dir=/usr/local/opt/openssl" rbenv install 2.4.4), then re-installing invoker.

Some additional resources that might help figuring out how to install openssl 1.0 with hombrew (it wasn't straightforward, as homebrew has deprecated openssl 1.0, so brew install openssl@1.0 doesn't work):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants