Hi Enrico and Nicolo, The Node.js client is based on the C++ client so it requires the C++ Add-on. [1]
For 1.7.0 or earlier, when users install the client, the `npm install pulsar-client` command builds the add-on. It means they have to install the C++ compiler. For 1.8.0 or later, we have provided the prebuilt C++ add-on. However, the prebuilt C++ add-on depends on libcurl, whose CA cert store path is determined when building the libcurl. Before 1.8.0, the Node.js client depends on C++ client 2.x.y, which does not include #16064 [2] , which fixes the CVE. Before #16064, the libcurl does not verify the peer, so it would lead to the CVE. ```c++ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); ``` You can find a more detailed explanation here [3]. In short, when users install the Node.js client using the prebuilt C++ add-on, the CA cert store path is fixed but it could be different in a different OS. So we have to specify the CA cert store path via the tlsTrustCertsFilePath config now. To prevent the code changes, maybe we have to fallback to the old ways to install the Node.js client, i.e. building the C++ add-on in users' local env. [1] https://nodejs.org/api/addons.html#c-addons [2] https://github.com/apache/pulsar/pull/16064 [3] https://github.com/apache/pulsar-client-cpp/issues/184#issuecomment-1420509146 Thanks, Yunze On Wed, Feb 22, 2023 at 6:10 PM Enrico Olivelli <eolive...@gmail.com> wrote: > > The problem reported by Nicolò seems a real show stopper > -1 (binding) > > Is there any volunteer on fixing the problem ? > > I think that most of Production users use TLS and this problem prevent > anyone to upgrade from 1.7.x to 1.8.x > > Enrico > > Il giorno mer 22 feb 2023 alle ore 10:33 Nicolò Boschi > <boschi1...@gmail.com> ha scritto: > > > > Yes, I'm on MacOS > > > > Adding the explicit path to the system CA worked, thanks. > > > > I wonder why it wasn't needed in 1.7.0 and now it's required in 1.8.1. > > This can be problematic for users because the client upgrade requires code > > changes and redeployment. > > Maybe it's a regression from 1.8.0, but I think that we need to get that > > fixed in 1.8.1 > > > > Nicolò Boschi > > > > > > Il giorno mer 22 feb 2023 alle ore 10:17 Baodi Shi <ba...@apache.org> ha > > scritto: > > > > > Hi, @Nicolò Boschi <boschi1...@gmail.com> > > > > > > Is your system macOS(arm64)? > > > > > > Maybe you should set tlsTrustCertsFilePath: > > > > > > const client = new Pulsar.Client({ > > > tlsTrustCertsFilePath:'/etc/ssl/cert.pem', > > > }); > > > > > > > > > > > > > > > Thanks, > > > Baodi Shi > > > > > > > > > 在 2023年2月22日 15:59:28 上,Nicolò Boschi <boschi1...@gmail.com> 写道: > > > > > >> Hi, > > >> > > >> I'm having issues while validating the fix related to the hostname > > >> verification: https://github.com/apache/pulsar-client-cpp/pull/126 > > >> My usecase is with a valid TLS certificate signed by a CA (not a > > >> self-signed one). > > >> > > >> My code is very simple (see below): it creates a client with token auth + > > >> TLS and sends some messages. > > >> > > >> It works well with node client 1.7.0 with cpp client 3.1.2 > > >> It fails with node client 1.8.0 (as expected) > > >> It still fails with the rc: 1.8.1-rc.1 > > >> > > >> (I'm installing the dependency with "npm i pulsar-client@1.8.1-rc.1 > > >> --pulsar_binary_host_mirror= > > >> https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/"; > > >> > > >> The error I'm seeing is this one: > > >> > > >> [INFO][ClientConnection:388] Connected to broker > > >> [ERROR][ClientConnection:488] Handshake failed: certificate verify failed > > >> (SSL routines, tls_process_server_certificate) > > >> [INFO][ClientConnection:1600] Connection closed with ConnectError > > >> > > >> Note that setting `tlsValidateHostname: true` "resolves" the problem, > > >> however it's not acceptable as you know. > > >> > > >> I'm pretty sure that it's related to the cpp client dependency, however > > >> I'm > > >> not very familiar with it and how it's bundled in the node client >= > > >> 1.8.0 > > >> Is there a way to verify if the bundled cpp client is actually the > > >> expected one? > > >> > > >> > > >> > > >> This is the code snippet: > > >> ``` > > >> const tokenStr = asToken; > > >> const pulsarUri = pulsarUrl; > > >> const topicName = asTopic; > > >> > > >> const auth = new Pulsar.AuthenticationToken({ token: tokenStr }); > > >> const client = new Pulsar.Client({ > > >> serviceUrl: pulsarUri, > > >> authentication: auth, > > >> operationTimeoutSeconds: 30, > > >> tlsCertificateFilePath: "", > > >> tlsValidateHostname: false > > >> }); > > >> Pulsar.Client.setLogHandler((level, file, line, message) => { > > >> console.log('[%s][%s:%d] %s', Pulsar.LogLevel.toString(level), file, > > >> line, message); > > >> }); > > >> > > >> const producer = await client.createProducer({ > > >> topic: topicName, > > >> }) > > >> > > >> for (let i = 0; i < 10; i += 1) { > > >> await producer.send({ > > >> data: Buffer.from("nodejs-message-" + i), > > >> }); > > >> console.log("send message " + i); > > >> } > > >> await producer.flush(); > > >> await producer.close(); > > >> await client.close(); > > >> > > >> ``` > > >> > > >> Thanks, > > >> Nicolò Boschi > > >> > > >> > > >> Il giorno mer 22 feb 2023 alle ore 08:02 Yunze Xu > > >> <y...@streamnative.io.invalid> ha scritto: > > >> > > >> +1 (binding) > > >> > > >> * Verified checksum and signature > > >> > > >> * Build from source > > >> > > >> * Install from npm on Ubuntu 20.04 > > >> > > >> * Run an end-to-end test with custom `tlsTrustCertsFilePath` config on > > >> > > >> StreamNative cloud with OAuth2 authentication > > >> > > >> > > >> BTW, from the discussion here [1], it would be better to use > > >> > > >> https://downloads.apache.org/pulsar/KEYS as the KEYS, > > >> > > >> > > >> [1] https://lists.apache.org/thread/f9w430oqpm0g72b1htwbtc8y3mfqf8r6 > > >> > > >> > > >> Thanks, > > >> > > >> Yunze > > >> > > >> > > >> On Mon, Feb 20, 2023 at 5:36 PM Nozomi Kurihara <nkuri...@apache.org> > > >> > > >> wrote: > > >> > > >> > > > >> > > >> > +1 (binding) > > >> > > >> > > > >> > > >> > * checked license headers > > >> > > >> > * verified checksum and signature > > >> > > >> > * install from npm and run producer/consumer > > >> > > >> > > > >> > > >> > Thanks, > > >> > > >> > Nozomi > > >> > > >> > > > >> > > >> > 2023年2月17日(金) 19:12 Baodi Shi <ba...@apache.org>: > > >> > > >> > > > >> > > >> > > Hi everyone, > > >> > > >> > > > > >> > > >> > > This is the first release candidate for Apache Pulsar Node.js client, > > >> > > >> > > version 1.8.1. > > >> > > >> > > > > >> > > >> > > It fixes the following > > >> > > >> > > issues: > > >> > > >> > > > > >> > > >> > > >> https://github.com/apache/pulsar-client-node/pulls?q=is%3Apr+label%3Arelease%2Fv1.8.1+is%3Aclosed > > >> > > >> > > > > >> > > >> > > Please download the source files and review this release candidate: > > >> > > >> > > - Download the source package, verify shasum and asc > > >> > > >> > > - Follow the README.md to build and run the Pulsar Node.js client. > > >> > > >> > > > > >> > > >> > > The release candidate package has been published to the npm > > >> > > >> > > registry:https://www.npmjs.com/package/pulsar-client/v/1.8.1-rc.1 > > >> > > >> > > You can install it by `npm i pulsar-client@1.8.1-rc.1 > > >> > > >> > > --pulsar_binary_host_mirror= > > >> > > >> > > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/` > > >> <https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/> > > >> > > >> <https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/> > > >> > > >> > > <https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/> > > >> > > >> > > and verify the package. > > >> > > >> > > > > >> > > >> > > The vote will be open for at least 72 hours. It is adopted by > > >> > > majority > > >> > > >> > > approval, with at least 3 PMC affirmative votes. > > >> > > >> > > > > >> > > >> > > Source files: > > >> > > >> > > > > >> > > >> > > >> https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/pulsar-client-node-1.8.1-rc.1/ > > >> > > >> > > > > >> > > >> > > Pulsar's KEYS file containing PGP keys we use to sign the > > >> > > >> > > release:https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > >> > > >> > > > > >> > > >> > > SHA-512 checksum: > > >> > > >> > > > > >> > > >> > > > > >> > > >> > > >> ed89b4ad467d3cb75ed37096b35d91b872cd93d36cd953512fc7edcb75dbac5162592f6f51b5ab08f26b3dca1c57a3d3fe7a5e4f109551c66943a5b09392d51a > > >> > > >> > > apache-pulsar-client-node-1.8.1.tar.gz > > >> > > >> > > The tag to be voted upon: > > >> > > >> > > v1.8.1-rc.1(3e843f0) > > >> > > >> > > https://github.com/apache/pulsar-client-node/releases/tag/v1.8.1-rc.1 > > >> > > >> > > > > >> > > >> > > Please review and vote on the release candidate #1 for the version > > >> > > >> > > 1.8.1, as follows: > > >> > > >> > > [ ] +1, Approve the release > > >> > > >> > > [ ] -1, Do not approve the release (please provide specific comments) > > >> > > >> > > > > >> > > >> > > > > >> > > >> > > > > >> > > >> > > > > >> > > >> > > Thanks, > > >> > > >> > > Baodi Shi > > >> > > >> > > > > >> > > >> > > >>
