[Solved] Setting tls options on HTTP node (edge workflow)

Cam_Esdaile · August 30, 2018, 12:28am

I am hitting an issue where the underlying node https library is negotiating the wrong TLS curve and failing with the following error message in the workflow output:

error: write EPROTO 139803240335168:error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve:../deps/openssl/openssl/ssl/t1_lib.c:1097:

Bit googling shows that setting the tls option for ecdhCurve to auto should do the trick. I attempted to confirm this by connecting to the local docker instance for the edge agent and run a quick node test as follows:

var https = require('https');

var options = {
  host: 'localhost',
  port: 443,
  path: '/api/info',
  method: 'GET',
  rejectUnauthorized: false,
  //ecdhCurve: 'auto'
};

var req = https.request(options, function(res) {

  var body = '';

  res.on('data', function(chunk) {
    body = body + chunk;
  });

  res.on('end', function(){
    console.log("Status: " + res.statusCode);
    console.log("Body: " + body);
  });

});

req.on('error', function(e) {
  console.log('error: ' + e.message);
});

req.end();

Commenting out the ecdhCurve generates the error as described.

Are there any options to set this level of option for the https library from within the workflow?

Thanks.

Michael_Kuehl · August 30, 2018, 1:55pm

Interesting!

There is no way to set this option at the moment, although doing a bit of googling of my own, I think it would be ok if we just always set that option to auto (in fact, in the current edge versions of Node.js, it looks like it defaults to auto, whereas in Node.js LTS - the version the Edge Agent uses - it defaults to prime256v1).

If possible, could you share a URL that I can reproduce the issue with?

Cam_Esdaile · September 8, 2018, 1:51am

This would be great to get this option added to Edge Agent. Unfortunately it is an internally hosted app so I can’t expose it for testing. I believe the app is fronted by nginx so I can try to figure out the config so you can replicate it in the lab.

Michael_Kuehl · September 12, 2018, 1:58pm

The relevant config would be useful - I want to make sure that whatever changes we make will actually work for you!

Cam_Esdaile · September 12, 2018, 7:56pm

I am trying to track down the dev that worked on the front end to confirm the setup. In the meantime, happy to test anything you can push my way. thanks!

Michael_Kuehl · September 13, 2018, 5:43pm

Cam, we actually found a public site where we can reproduce the issue - BadSSL. The ecc options under the Secure section cause the issue you described above, and switching to auto fixes it. This change will be in the next release of the edge agent!

Cam_Esdaile · September 20, 2018, 11:05pm

Thanks Michael - look forward to trying it out on the next release.

Michael_Kuehl · September 27, 2018, 8:21pm

Cam, we just released Version 1.2.3 of the Edge Agent, which has this setting changed. Hopefully, that fixes your issues!

Topic		Replies	Views
Unable to verify the first certificate Help edge	2	659	July 23, 2021
Http trigger Node not triggered in Edge Workflow Help edge	2	661	August 2, 2019
HTTP node differences between Application and Edge Workflows Help http , embedded-edge-agent	5	229	July 6, 2023
Edge compute broker config Help edge	20	1075	October 7, 2020
Timeout error occurs after adding the function node in the edge workflow, why? Help workflow	6	162	July 31, 2023

[Solved] Setting tls options on HTTP node (edge workflow)

Related Topics