supabase icon indicating copy to clipboard operation
supabase copied to clipboard
verified publisher icon supabase

Edge function suddenly stopped working due to SSL error

Open GregorioDiStefano opened this issue 3 years ago • 1 comments

A few days ago (between Christmas and New Years), I realized my edge functions stopped working for my project in Chrome 108 with very non specific errors just stating Error on fetch.

I realized the same requests failed in cURL with an OpenSSL error. I created a new function, based on the simplest example I could find, the location returning edge function (https://github.com/supabase/supabase/tree/master/examples/edge-functions/supabase/functions/location)

Interestingly enough, this fails as well, see the cURL output:

➜  functions git:(master) ✗ curl -vv -L -X POST 'https://uj*****valynkeycpq.functions.supabase.co/location' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ********gWjp0zsI' --data '{"name":"Functions"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 34.120.54.55:443...
* Connected to uaou*****cpq.functions.supabase.co (34.120.54.55) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.functions.supabase.in
*  start date: Nov 17 09:54:59 2022 GMT
*  expire date: Feb 15 09:54:58 2023 GMT
*  subjectAltName: host "uaouvj****nkeycq.functions.supabase.co" matched cert's "*.functions.supabase.co"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x564043b1e960)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> POST /location HTTP/2
> Host: uao********keycpq.functions.supabase.co
> user-agent: curl/7.81.0
> accept: */*
> authorization: Bearer eyJhbGciOiJI****K218H1HQgWjp0zsI
> content-length: 20
> content-type: application/x-www-form-urlencoded
> 
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* We are completely uploaded and fine
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0
* Failed sending HTTP2 data
* Connection #0 to host uaouvjpx******eycpq.functions.supabase.co left intact
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

Edge functions used to work fine, and suddenly my existing ones stopped working, and new examples also result in this OpenSSL issue -- did anything change on your end during the holidays? System is using OpenSSL 3.0.2 on a fully updated Linux Mint

GregorioDiStefano avatar Jan 04 '23 14:01 GregorioDiStefano

Another interesting find is that invalidating the Authorization by either modifying it or removing it actually returns the expected response: Invalid JWT or Missing authorization header respectively.

However, if Authorization is correctly set, I get the OpenSSL error as posted above

GregorioDiStefano avatar Jan 04 '23 15:01 GregorioDiStefano

@GregorioDiStefano No, there were no changes on our end. Can you try to see if updating to OpenSSL 3.1 solves the issue (alternatively, you can try downgrading to the previous LTS version 1.1.1)

laktek avatar Jan 21 '23 20:01 laktek

Closing this issue due to inactivity.

laktek avatar Feb 24 '23 05:02 laktek