SSL forwarder crashes on connect on Ubuntu 20.04

[OlegSmelov]

The crash is caused by eventmachine/eventmachine#926

The solution is to wait for eventmachine to be updated and release the new version of Invoker that depends on the new version.

Copying the comment from the issue:

I'm having this error with Invoker which uses EventMachine internally.

140207038160576:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:
invoker start [redacted].ini: ssl.cpp:173: SslContext_t::SslContext_t(bool, const string&, const string&): Assertion `e > 0' failed.

As a workaround, I've commented out start_http_proxy(InvokerHttpsProxy, 'https', options) in Invoker source.

[swrobel]

@OlegSmelov have you tested, and does Invoker work w/ latest EM? I thought for some reason we were locked to the version that we are because another dep required older EM ... but that decision was before my time working on the project so I'm not certain.

[OlegSmelov]

Building against newer eventmachine alone doesn't work:

# build of current master with
# `s.add_dependency("eventmachine", "~> 1.2.7")`
# patched in gemspec

$ gem install invoker-1.5.8.gem
ERROR:  While executing gem ... (Gem::DependencyResolutionError)
    conflicting dependencies eventmachine (~> 1.0.0) and eventmachine (~> 1.2.7)
  Activated eventmachine-1.2.7
  which does not match conflicting dependency (~> 1.0.0)

  Conflicting dependency chains:
    invoker (= 1.5.8), 1.5.8 activated, depends on
    eventmachine (~> 1.2.7), 1.2.7 activated

  versus:
    invoker (= 1.5.8), 1.5.8 activated, depends on
    rubydns (~> 0.8.5), 0.8.5 activated, depends on
    eventmachine (~> 1.0.0)

  Gems matching eventmachine (~> 1.0.0):
    eventmachine-1.0.9.1

Newer versions of RubyDNS do not use EventMachine anymore, so I doubt they're compatible. It won't be as easy as I imagined after all.

[OlegSmelov]

For context and workarounds:

• https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
• https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689

I haven't tried it, but another workaround would be to use your own certificate and private key with Invoker. It seems to me that as long as we depend on the default certificate, this issue is bound to resurface every time security requirements are tightened.

[swrobel]

Newer versions of RubyDNS do not use EventMachine anymore, so I doubt they're compatible. It won't be as easy as I imagined after all.

yes, unfortunately I attempted a refactor at one point to use newer async-based RubyDNS and gave up as it was basically turning into a rewrite.

[nicobrenner]

@OlegSmelov thank you for the links about openssl configuration.

I had a similar issue in MacOS. Invoker would crash with a Bus Error and a stack trace (see screenshot below).

Apparently something having to do with openssl's start_tls and the eventmachine gem.

What worked for me was: installing openssl 1.0 alongside 1.1 (homebrew had automatically installed 1.1 and replaced 1.0 in the process), then re-installing ruby using rbenv and telling it to use openssl 1.0 (RUBY_CONFIGURE_OPTS="--with-openssl-dir=/usr/local/opt/openssl" rbenv install 2.4.4), then re-installing invoker.

Some additional resources that might help figuring out how to install openssl 1.0 with hombrew (it wasn't straightforward, as homebrew has deprecated openssl 1.0, so brew install [email protected] doesn't work):

• https://gist.github.com/souzagab/0ae60e61939d51385de87904b65b2da2
• https://stackoverflow.com/questions/59337838/openssl-1-0-2m-on-macos
• macOS OpenSSL version issue - Homebrew moved it from v1.0 to v1.1 - initial fix aisingapore/TagUI#635