SSL error in 4.2.0.4

[toth-dev]

Bug

Might be related to #84, I get this error with a valid (Let's Encrypt) cert from my NextCloud instance:

Failed to read document from storage. Please contact your storage server (my.nextcloud.domain) administrator.

The error is not present in 4.2.0.3, I used these version:

collabora/code        4.2.0.4               3b9a06dbb781
collabora/code        latest                3b9a06dbb781
collabora/code        4.2.0.3               011a1dd63300

This is what I found in the logs of the container:

wsd-00028-00042 2020-02-08 14:32:41.284030 [ docbroker_003 ] ERR  Cannot get file info from WOPI storage uri [https://domain/index.php/apps/richdocuments/wopi/files/5670_oc4z84l9jx85?access_token=TOKEN&access_token_ttl=0]. Error: SSL Exception: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure| wsd/Storage.cpp:561
wsd-00028-00042 2020-02-08 14:32:41.284167 [ docbroker_003 ] ERR  loading document exception: SSL Exception| wsd/DocumentBroker.cpp:1331
wsd-00028-00042 2020-02-08 14:32:41.284215 [ docbroker_003 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/5670_oc4z84l9jx85] with URI [https://domain/index.php/apps/richdocuments/wopi/files/5670_oc4z84l9jx85?access_token=TOKEN&access_token_ttl=0]: SSL Exception| wsd/DocumentBroker.cpp:1293
wsd-00028-00042 2020-02-08 14:32:41.284275 [ docbroker_003 ] ERR  Error while loading : SSL Exception| wsd/LOOLWSD.cpp:2899

My guess

Might be related to server SSL version, because 4.2.0.4 work OK with a different NextCloud server:

• Working: docker container on the same host as CODE, nginx 1.14.0, OpenSSL 1.1.1

• Not working: Raspberry Pi, nginx/1.14.2, OpenSSL 1.1.1c

The cipher config is the same on the two servers:

ssl_protocols       TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

[4oo4]

I'm getting this too with almost the exact same TLS config. As a test I also tried adding TLSv1.1 to my protocols, but no luck. Another thing I noticed was that the Nextcloud URL it's referencing is https://cloud.example.com/index.php/apps/richdocuments/wopi/... whereas the correct URL should be https://cloud.example.com/apps/richdocuments/wopi, so it doesn't seem to be respecting the setting to remove that from URLs (can't remember exactly what Nextcloud calls that). I tried a rewrite so it would get redirected to the correct URL, but no luck. Will try downgrading.

nginx version: nginx/1.17.8
built with OpenSSL 1.1.1d  10 Sep 2019

EDIT: Downgrading to 4.2.0.3 fixes the SSL issue, but I still have the issue with the index.php URL. I'll file a separate issue for that.

[ornago]

Got the same sslv3 handshake error on my server. The problem appeared since I updated to Debian Buster. Same cipher and TLS settings here. Same problem with docker version or without docker. Adminconsole is reachable.

How can I downgrade my loolwsd package? The apt source gives me only 4.2.0-6?

[timar]

How can I downgrade my loolwsd package? The apt source gives me only 4.2.0-6?

Older docker images are available. They are tagged. Older packages are not available.
We are debugging an issue now, that loolwsd throwes SSL exception when it has to download from a site with SSL certificate made with elliptical curve key, eg. EC 384. Maybe this is related.

[toth-dev]

The error is present in the latest build of 4.2.0.4 (30a8806433f4), but it is fixed for me in 4.2.1.3 and 4.2.2.1

[thebearon]

Great, thanks for the feedback!