[Solved] Setting tls options on HTTP node (edge workflow)


#1

I am hitting an issue where the underlying node https library is negotiating the wrong TLS curve and failing with the following error message in the workflow output:

error: write EPROTO 139803240335168:error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve:../deps/openssl/openssl/ssl/t1_lib.c:1097:

Bit googling shows that setting the tls option for ecdhCurve to auto should do the trick. I attempted to confirm this by connecting to the local docker instance for the edge agent and run a quick node test as follows:

var https = require('https');

var options = {
  host: 'localhost',
  port: 443,
  path: '/api/info',
  method: 'GET',
  rejectUnauthorized: false,
  //ecdhCurve: 'auto'
};

var req = https.request(options, function(res) {

  var body = '';

  res.on('data', function(chunk) {
    body = body + chunk;
  });

  res.on('end', function(){
    console.log("Status: " + res.statusCode);
    console.log("Body: " + body);
  });

});

req.on('error', function(e) {
  console.log('error: ' + e.message);
});

req.end();

Commenting out the ecdhCurve generates the error as described.

Are there any options to set this level of option for the https library from within the workflow?

Thanks.


#2

Interesting!

There is no way to set this option at the moment, although doing a bit of googling of my own, I think it would be ok if we just always set that option to auto (in fact, in the current edge versions of Node.js, it looks like it defaults to auto, whereas in Node.js LTS - the version the Edge Agent uses - it defaults to prime256v1).

If possible, could you share a URL that I can reproduce the issue with?


#3

This would be great to get this option added to Edge Agent. Unfortunately it is an internally hosted app so I can’t expose it for testing. I believe the app is fronted by nginx so I can try to figure out the config so you can replicate it in the lab.


#4

The relevant config would be useful - I want to make sure that whatever changes we make will actually work for you!


#5

I am trying to track down the dev that worked on the front end to confirm the setup. In the meantime, happy to test anything you can push my way. thanks!


#6

Cam, we actually found a public site where we can reproduce the issue - BadSSL. The ecc options under the Secure section cause the issue you described above, and switching to auto fixes it. This change will be in the next release of the edge agent!


#7

Thanks Michael - look forward to trying it out on the next release.


#8

Cam, we just released Version 1.2.3 of the Edge Agent, which has this setting changed. Hopefully, that fixes your issues!