Enabling FIPS results in library has no ciphers
error
#50543
-
Versionv20.9.0 PlatformLinux mahhost 5.14.0-284.30.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 25 09:13:12 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux SubsystemObject.fetch What steps will reproduce the bug?Affected Versions
System Setup
ReproducerThe following test file will cause the failure: const crypto = require('crypto')
const url = 'https://www.google.com'
async function main() {
const response = await fetch(url)
const body = await response.text()
console.log('Body Length: ' + body.length)
}
console.log('FIPS Status: ' + crypto.getFips())
let hash = crypto.createHash('md5').update('test').digest("hex")
console.log('HASH: ' + hash)
crypto.setFips(true)
console.log('FIPS Status: ' + crypto.getFips())
// Fails correctly
//hash = crypto.createHash('md5').update('test').digest("hex")
//console.log('HASH: ' + hash)
main() How often does it reproduce? Is there a required condition?No response What is the expected behavior? Why is that the expected behavior?No response What do you see instead?node index.js
FIPS Status: 0
HASH: 098f6bcd4621d373cade4e832627b4f6
FIPS Status: 1
node:internal/deps/undici/undici:11372
Error.captureStackTrace(err, this);
^
TypeError: fetch failed
at Object.fetch (node:internal/deps/undici/undici:11372:11)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async main (/home/asve/Work/node_crypto_test/index.js:5:20) {
cause: Error: error:0A0000A1:SSL routines::library has no ciphers
at new SecureContext (node:_tls_common:88:16)
at Object.createSecureContext (node:_tls_common:113:13)
at Object.connect (node:_tls_wrap:1748:48)
at Client.connect (node:internal/deps/undici/undici:6542:24)
at socket (node:internal/deps/undici/undici:8055:29)
at new Promise (<anonymous>)
at connect (node:internal/deps/undici/undici:8054:30)
at _resume (node:internal/deps/undici/undici:8247:11)
at resume (node:internal/deps/undici/undici:8173:7)
at [dispatch] (node:internal/deps/undici/undici:7436:11) {
library: 'SSL routines',
reason: 'library has no ciphers',
code: 'ERR_SSL_LIBRARY_HAS_NO_CIPHERS'
}
}
Node.js v20.9.0 Additional informationOpenssl Version
Openssl s_client works properlydepth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:CN = www.google.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 16 08:10:46 2023 GMT; NotAfter: Jan 8 08:10:45 2024 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEiDCCA3CgAwIBAgIRANWbO75xUE3iCciPw5PuELgwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjMxMDE2MDgxMDQ2WhcNMjQwMTA4
MDgxMDQ1WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABNXoseaoLuoVmAKAkxlfsklzcG0o0WTSfrE6hukzPe33RV5a
qYH3vYFWCOYvPFE5PjtNrv1veDW87Q5G8ZbKAXSjggJnMIICYzAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQU7+YfhQzBKtvwNK5qbNU9zTfECHEwHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvUXFGeGJpOU00OGMuY3Js
MIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGLN8CKdAAABAMARjBEAiAdezwSUg6BBd9E039NAbzJxjbG
5CNBzL+LF0HHet+GFQIgS/w4yFl1xd6SjYltwVc/WjWs041aIlsAeWvyafpP/F8A
dwB2/4g/Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYs3wIqDAAAEAwBI
MEYCIQDe6skoYfPLfZboC6bVd2sxsJ2rdkD5qvJdVYd1TngFYgIhALuA+f2e8X2H
boOZj0KRGLbNwKVqMHPEXigBuDh2VHYrMA0GCSqGSIb3DQEBCwUAA4IBAQAU/XRP
7utXb9y7KOeVtb0fpWPqvX+38YLAmWr2j4pITN97iFhjWYJ2GTE7sx4b46gKZ8KP
pBnuOMhIhltKDYQ0BFe3Vy8T92iLf9liI8aEfXmavLMRrIRB4IMushOgwX4IQOwE
eSNJ1q+ntNziOXdXHFXyDYV19A6uL3sBkRLAHqmb8gclosTTwMoeOuU59KlwcreU
fCvlswixnaO5Km9CdO8Tt7G3KkIwZR5X6iMwWHDfCsdmOUixWVEMEP6NVoUSMHYX
RnBN6qieEHV3ihhQw3yGHaGKJnMqjIuXVQyeLVdX6qhGUl5QmIv0ldhtY3io6EDA
IlD0GxLU38BvT1HF
-----END CERTIFICATE-----
subject=CN = www.google.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4328 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments 12 replies
-
Why do you report that here? Rephrased: what makes you think this is a node.js bug? |
Beta Was this translation helpful? Give feedback.
-
The While it may not be a If there is some way to pinpoint how this is not a |
Beta Was this translation helpful? Give feedback.
-
That error bubbles up from openssl, not node. It's almost certainly a configuration issue on your end. If you're using a vendor-provided node build (i.e., one that's not been built by us), you should report issues to them. |
Beta Was this translation helpful? Give feedback.
-
I'm building directly from your source. Direct connections using |
Beta Was this translation helpful? Give feedback.
-
Have you tried the |
Beta Was this translation helpful? Give feedback.
-
That resulted in a more interesting error: node --enable-fips index.js
node[1463827]: ../src/node.cc:1068:std::unique_ptr<node::InitializationResult> node::InitializeOncePerProcess(const std::vector<std::__cxx11::basic_string<char> >&, node::ProcessFlags::Flags): Assertion `crypto::CSPRNG(nullptr, 0).is_ok()' failed.
1: 0xb17c70 node::Abort() [node]
2: 0xb17cee [node]
3: 0xad4b41 node::InitializeOncePerProcess(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, node::ProcessFlags::Flags) [node]
4: 0xad4d93 node::Start(int, char**) [node]
5: 0x7fc3a663feb0 [/lib64/libc.so.6]
6: 0x7fc3a663ff60 __libc_start_main [/lib64/libc.so.6]
7: 0xa47e75 _start [node]
Aborted (core dumped) |
Beta Was this translation helpful? Give feedback.
-
That's a fail-safe. There's something wrong with your system or your setup that causes openssl's entropy pool to fail to initialize. I'm going to convert this to a discussion because nothing so far has been a clear indicator of actual bugs. |
Beta Was this translation helpful? Give feedback.
How are you configuring your build? By default Node.js will look for
nodejs_conf
in any loaded OpenSSL configuration and will not by default processopenssl_conf
. You can set that back toopenssl_conf
with--openssl-conf-name
:node/BUILDING.md
Lines 794 to 805 in 4dbb017