Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.1.0] Secure LDAP connection issues - Error: socket hang up - again #14707

Closed
tobru opened this issue May 31, 2019 · 9 comments
Closed

[1.1.0] Secure LDAP connection issues - Error: socket hang up - again #14707

tobru opened this issue May 31, 2019 · 9 comments
Labels
stat: stale Stale issues will be automatically closed if no activity subj: auth - ldap type: bug

Comments

@tobru
Copy link

tobru commented May 31, 2019

Description:

The same issue as in #9316, which was fixed in #9343 appears again. No TLS connections to the LDAP server are possible anymore.

Steps to reproduce:

See #9316

Expected behavior:

TLS connections to the LDAP server

Actual behavior:

LDAP ➔ Connection.info Init setup
LDAP ➔ Connection.info Connecting ldaps://ldap.mycompany.com:636
server.js:207 LDAP ➔ Connection.error connection { Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1137:19)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)
    at TLSSocket.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  code: 'ECONNRESET',
  path: undefined,
  host: 'ldap.mycompany.com',
  port: 636,
  localAddress: undefined }
{ Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1137:19)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)
    at TLSSocket.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  code: 'ECONNRESET',
  path: undefined,
  host: 'ldap.mycompany.com',
  port: 636,
  localAddress: undefined }
Exception in callback of async function: Error: 140324295396224:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1498:SSL alert number 40
140324295396224:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1216:

Server Setup Information:

  • Version of Rocket.Chat Server: 1.1.0
  • Operating System: Docker
  • Deployment Method: Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: Enabled
  • NodeJS Version: 8.11.4 - x64
  • MongoDB Version: 4.0.9

Additional context

See #9316 and #9343.

Relevant logs:

Rocket.Chat: See above.

LDAP Server:

[31/May/2019:13:26:08.244648359 +0200] conn=1796843 fd=80 slot=80 SSL connection from x to y
[31/May/2019:13:26:08.244975949 +0200] conn=1796843 op=-1 fd=80 closed - Cannot communicate securely with peer: no common encryption algorithm(s).
@anothertobi
Copy link

This issue is probably related to nodejs/node#16196

@tobru
Copy link
Author

tobru commented Jun 3, 2019

@rodrigok Would you mind to have a look into this issue? You were able to fix the very similar issue #9316 with #9343 and it seems like this fix got lost somewhere in >1.x

@anothertobi
Copy link

The bug seems to exist since 1.0.0: #14354

@geekgonecrazy
Copy link
Contributor

@rodrigok not sure if you have seen this one or not

@tobru
Copy link
Author

tobru commented Jun 22, 2019

It looks like the line from the old and merged PR #9343 got lost in the current code base, I can't find this code anywhere anymore and it looks like it's an important line to fix this issue:

import tls from 'tls';
// FIX For TLS error see more here https://github.com/RocketChat/Rocket.Chat/issues/9316
// TODO: Remove after NodeJS fix it, more information https://github.com/nodejs/node/issues/16196 https://github.com/nodejs/node/pull/16853
tls.DEFAULT_ECDH_CURVE = 'auto';

Probably just putting these lines back in the correct file solves this issue, but as I'm not familiar with nodejs and the Rocket.Chat codebase I'm unable to contribute a PR.

@anothertobi
Copy link

@rodrigok @geekgonecrazy can you provide an estimate on when this issue will be fixed? At the moment it's not possible to use the latest version of Rocket.Chat with a secure connection to LDAP.

I think the file with the fix #9343 was moved (and changed) to /app/cors/server/cors.js

@spanchy
Copy link

spanchy commented Nov 13, 2019

@anothertobi You can use stunnel to securely connect to LDAP. Section RocketChat to configure LDAP, please use localhost to connect LDAP and insecure default settings. It will be safe :)

@anothertobi
Copy link

@spanchy we are now using HAProxy (https://github.com/appuio/charts/tree/master/haproxy), but it would be nice to have this feature back in Rocket.Chat :)

@github-actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stat: stale Stale issues will be automatically closed if no activity label Oct 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stat: stale Stale issues will be automatically closed if no activity subj: auth - ldap type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@geekgonecrazy @spanchy @tobru @anothertobi