[0.60.x] Secure LDAP connection issues - Error: socket hang up #9316
Description
Description:
Connections to the LDAP server using TLS or StartTLS don't work.
Server Setup Information:
+------------------------------------------+
| SERVER RUNNING |
+------------------------------------------+
| |
| Rocket.Chat Version: 0.60.2 |
| NodeJS Version: 8.9.3 - x64 |
| Platform: linux |
| Process Port: 3000 |
| Site URL: https://hidden |
| ReplicaSet OpLog: Disabled |
| Commit Hash: 2149a6c78d |
| Commit Branch: HEAD |
| |
+------------------------------------------+
- Deployment Method(snap/docker/tar/etc): Docker
- Number of Running Instances: 1
Steps to Reproduce:
The problem started to show up after upgrading from 0.59 to 0.60, it worked like a charm with 0.59.
Expected behavior:
Secure connections to LDAP work.
Actual behavior:
Connection doesn't work with the message "Error: socket hang up".
Relevant logs:
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Connection.error connection { Error: socket hang up
at TLSSocket.onHangUp (_tls_wrap.js:1135:19)
at Object.onceWrapper (events.js:313:30)
at emitNone (events.js:111:20)
at TLSSocket.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1056:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
code: 'ECONNRESET',
path: undefined,
host: 'ldap.mydomain.com',
port: 636,
localAddress: undefined }
rocketchat_logger rocketchat_logger.js:278 LDAPHandler ➔ error { Error: socket hang up
at TLSSocket.onHangUp (_tls_wrap.js:1135:19)
at Object.onceWrapper (events.js:313:30)
at emitNone (events.js:111:20)
at TLSSocket.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1056:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
code: 'ECONNRESET',
path: undefined,
host: 'ldap.mydomain.com',
port: 636,
localAddress: undefined }
Exception in callback of async function: Error: 140350016636736:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 40
140350016636736:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1217:
[Wed Jan 03 2018 09:00:31 GMT+0000 (UTC)] ERROR Error: 140350016636736:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 40
140350016636736:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1217:
I checked if connections to the LDAP server are working using OpenSSL, and they do:
$ openssl s_client -connect ldap.mydomain.com:636 | openssl x509 -noout -text
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.mydomain.com
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
XXX
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Sep 6 00:00:00 2017 GMT
Not After : Sep 6 23:59:59 2019 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.mydomain.com
[...]
Settings:
