TLS-Error messages should be passed along

[a-gold]

Hi,

today I went through a tough debugging session due to meaningless error messages.

The scenario:
I was only able to connect to a new domain controller via LDAPS from my local machine (running OsX).
My debian server however isn't able to connect and throws the following error message:

admin: {
    "code": "UNSPECIFIED"
}

Pretty expressive! :D

After checking credentials, environment vars, certificates, several server logs, network configuration / firewall traffic, etc.
I copied the complete sourcecode of this project and added logging messages till I finally got the cause:

EE certificate key too weak

My colleague who set up the domain controller used a certificate with a keylength of 1024 bit - which is obviously bad.
I guess OsX is handling this less strict than debian. (Well, it could also be caused by the env-var NODE_ENV=production on the debian machine. I don't know that detail for sure.)
(I look forward that it will work as soon as my colleague replaces the certificate.)

Nevertheless I'd prefer if the error messages thrown inside the client.on-callbacks in the _ldapBind function would be passed along somehow.

client.on('timeout', (err) => {
      reject(err);
    });
    client.on('connectTimeout', (err) => {
      reject(err);
    });
    client.on('error', (err) => {
      // Could print the meaningful error message here
      reject(err);
    });

    client.on('connectError', function (error) {
      if (error) {
        // And here
        reject(error);
        return;
      }
    });

Thanks and have a nice day! :)

[shaozi]

Very detailed information. Thanks! I would like to add the details of the error. Can you let me know how did you get the error:
EE certificate key too weak? Which part of the code has this information? I think my code direct rejects with ldapjs's error message and pass that all the way out. which is vague. Where did you get the more specific error message?

[a-gold]

Hi,

I could print the meaningful errors within these client.on-callbacks inside the _ldapBind function:

client.on('error', (err) => {
    // HERE
    reject(err);
}

and inside

client.on('connectError', (error) => {
      if (error) {
        // AND HERE
        reject(error);
        return;
      }
}

As I said unfortunately it wasn't passed - or it might be overwritten later.

[shaozi]

hmm... I tried different errors and all of them are passed to the caller as is. I don't think the error has a message field before the reject, but lost it afterwards.

It is only my guess, that your first error output may be incomplete since the error code is unspecified. But if you print the error the same way as you log the error while you are debugging, it should have more detailed information.

[shaozi]

I will set up an environment with 1024 bit key to try it out

[a-gold]

Hm, I actually just logged the error variables err / error to the console EE certificate key too weak was the full message..

We replaced the certificate inbetween and it's working now, so unfortunately I can't provide more information.