"unsafe legacy renegotiation disabled" in the context of connecting the OIDC

[Idzana]

Describe the current behavior

Hi! I'm trying to connect self-hosted OIDC provider (keycloak).
Keycloak using self-signed certificate (with signing by organization CA)
I configure Grist with this instruction https://support.getgrist.com/install/oidc/ and when I try run application I got this error.

I tried to use flag --openssl-legacy-provider, but looks like at node 18 this flag is ignored.

Are there any alternative solutions to bypass this problem? Both services (grist and keycloak) work in an isolated network and the occurrence of this problem in terms of security does not matter at all. However, I cannot change the keycloak settings in the organization and want to try to solve the problem by ignoring it

Steps to reproduce

1. deploy grist in kubernetes cluster
2. have a keycloak deployed on a virtual machine
3. configure HTTPS on the balancer before keycloak using a self-signed certificate and enabling support for TLS 1.1 1.2 1.3 (as I know)
4. follow the instructions https://support.getgrist.com/install/oidc/ to configure grist
5. try to deploy the application

Describe the expected behavior

be able to ignore this problem for secure local networks

Where have you encountered this bug?

• On docs.getgrist.com
• On a self-hosted instance

Instance information (when self-hosting only)

• Grist instance: k8s
  • Version: 1.3.3
  • URL: local
  • Installation mode: kubernetes
  • Architecture: single-worker

Error: write EPROTO 00082E04FA7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:
at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
errno: -71,
code: 'EPROTO',
syscall: 'write'
}

[Idzana]

also, i tried to run with versions 1.1.16 and 1.1.5, but it didn't work and the problem remained

[paulfitz]

Maybe NODE_TLS_REJECT_UNAUTHORIZED=0?

grist-core/docker-compose-examples/grist-traefik-oidc-auth/docker-compose.yml

Lines 29 to 32 in bc95375

	GRIST_OIDC_IDP_END_SESSION_ENDPOINT: https://${AUTHELIA_DOMAIN}/logout
	# Allow self-signed certificates so this example behaves correctly.
	# REMOVE THIS IF HOSTING ON THE INTERNET.
	NODE_TLS_REJECT_UNAUTHORIZED: 0

[Idzana]

Maybe NODE_TLS_REJECT_UNAUTHORIZED=0?

grist-core/docker-compose-examples/grist-traefik-oidc-auth/docker-compose.yml

Lines 29 to 32 in bc95375

GRIST_OIDC_IDP_END_SESSION_ENDPOINT: https://${AUTHELIA_DOMAIN}/logout

Allow self-signed certificates so this example behaves correctly.

REMOVE THIS IF HOSTING ON THE INTERNET.

NODE_TLS_REJECT_UNAUTHORIZED: 0

Thanks for the advice, I tried to use this flag, but the error remained :(

and there is my configuration

[Idzana]

@paulfitz is any idea about this problem?

[paulfitz]

Hmm no I don't. Paging @jordigh or @Spoffy for thoughts. I think Jordi knows a technique for letting a system know you consider a given self-signed certificate trustworthy but it might be a little complicated.

[Idzana]

@jordigh, @Spoffy can you help?

[00041275]

I have same problem, living with grist in test env without keycloak :(

[paulfitz]

@jordigh do you think setting NODE_EXTRA_CA_CERTSFILE could help? https://nodejs.org/api/cli.html#node_extra_ca_certsfile

[00041275]

NODE_EXTRA_CA_CERTSFILE

its not help

[paulfitz]

@00041275 what did you try? From its documentation looks like it should be full path to a cert. You'd need to take care that path is available within the container.

[jordigh]

@Idzana I'm interested in why you commented out NODE_EXTRA_CA_CERTS. I am guessing you tried setting it and it didn't work? And did you include the self-signed cert in the file referenced there? You can just append your own self-signed cert to that file.

[00041275]

for now I have OKD container with NODE_EXTRA_CA_CERTS and keycloak env

dockerfile

FROM gristlabs/grist:1.4.1
USER root
RUN apt-get update && \ 
	apt-get -y upgrade openssl && \
	apt-get -y install sudo && \
	apt-get -y install ca-certificates 
COPY RootCA.crt SubCA1.crt SubCA2.crt /usr/share/ca-certificates/
RUN cat /usr/share/ca-certificates/*.crt > /etc/ssl/certs/ca-bundle.crt
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt
RUN update-ca-certificates
RUN apt-get clean
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

EXPOSE 8080

deploy env

- name: NO_PROXY
  value: "cloudkc-test.company.mydomain,*.company.mydomain"
- name: GRIST_FORWARD_AUTH_LOGIN_PATH
  value: "https://cloudkc-test.company.mydomain/realms/grist/protocol/openid-connect/auth"
- name: GRIST_FORWARD_AUTH_LOGOUT_PATH
  value: "https://cloudkc-test.company.mydomain/realms/grist/protocol/openid-connect/logout"
- name: GRIST_IGNORE_SESSION
  value: "true"
- name: GRIST_OIDC_IDP_ISSUER
  value: "https://cloudkc-test.company.mydomain/realms/grist/.well-known/openid-configuration"
- name: GRIST_OIDC_IDP_CLIENT_ID
  value: "grist-client"
- name: GRIST_OIDC_IDP_CLIENT_SECRET
  value: "some_secret"

console

2025-03-14 23:07:11.614 - info: Loading config file from /persist/config.json
Welcome to Grist.
Setting up database...
Database setup complete.
2025-03-14 23:07:15.467 - info: == Grist version is 1.4.1 (commit unknown)
Error: write EPROTO C08CA2479A7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:921:
at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:87:19) {
errno: -71,

for second I added for dockerfile openssl, but there is nothing change.

opensslfile

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

appended instruction to dockerfile

COPY openssl.conf /usr/share/ssl/
ENV OPENSSL_CONF=/usr/share/ssl/openssl.conf
RUN node --openssl-config=/usr/share/ssl/openssl.conf

console

Running Grist as user 1000840000 with primary group 0
2025-03-14 23:14:54.467 - info: Loading config file from /persist/config.json
Welcome to Grist.
Setting up database...
Database setup complete.
2025-03-14 23:14:57.681 - info: == Grist version is 1.4.1 (commit unknown)
Error: write EPROTO C0BC6344C07F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:921:
at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:87:19) {
errno: -71,
code: 'EPROTO',
syscall: 'write'
}

if I delete env for keycloak grist runs good

[Idzana]

@Idzana I'm interested in why you commented out NODE_EXTRA_CA_CERTS. I am guessing you tried setting it and it didn't work? And did you include the self-signed cert in the file referenced there? You can just append your own self-signed cert to that file.

Hi!
Yes, you're right. I'm already tried to use this field with value to path to cert, but, looks like it's ignored by node.

I correctly understand that I need to use the root certificate and sub certificate of my certification center there?
the keycloak end certificate itself is not added, is it?

[00041275]

problem resolves after change protocol to TLS 1.3