-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl-legacy-provider CLI argument doesn't seem to work as expected #47379
Comments
You can enable the unsafe legacy renegotiation by setting |
Yes, I am also trying to upgrade the SSL cipher suites, but i would want to have a temporary workaround. |
You should be able to set up an openssl.cnf that is configured appropriately and tell node to use that (e.g. setting the |
Understood, Thanks a lot for your time and information |
I think the error I have struggled a lot with this error, and in every case ended up downgrading to Node 16. I have tried both openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyServerConnect Since the option If someone finds a solution, please write about it :-) |
@mikaello you need to set the section name as So for example, you could use the following:
I've a PoC w/ docker if its of interest: https://github.com/ckcr4lyf/no-rfc5746/blob/ed83a446e4aaa08f1edaa96af9b41c91b56834f5/Dockerfile |
I have tried various combinations of all these settings on nodejs 18.16.0 windows x64, to no avail. I'm always getting "unsafe legacy renegotiation disabled". This is stemming from the transparent ssl proxy on my corporate network. I know I had this working awhile back (multiple months) on nodejs 18, and my notes only say to use --openssl-legacy-provider. Not sure if nodejs changed or our ssl snooper changed. Setting secureOptions to either SSL_OP_LEGACY_SERVER_CONNECT or SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION does fix the problem. But I'm trying to get npm to work, so I need a more global setting. When I use --openssl-config=xxxx I don't get any error even when I supply a nonexistent filename.. makes me wonder if this option is actually reading in the openssl.cnf I'm trying to give it. Tried both UnsafeLegacyRenegotiation and UnsafeLegacyServerConnect. Neither changed the behavior. |
@stillcollating what is the command when you're trying to pass it as CLI to npm? I am not sure if passing it via, e.g.
I think npm won't pass those down to You can try and use the |
Do you remember which version of 18? The behavior of the section in openssl.cnf was changed in |
@ckcr4lyf I've been doing my testing with just nodejs using a test.js that calls https.request. If I set secureOptions with SSL_OP_LEGACY_SERVER_CONNECT or SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION the https.request works. I just need that to be the default behavior in any call to https.request. the openssl-config setting seems the most likely solution but it is not work for me thus far. In windows command prompt I have been testing using: node --openssl-config=openssl.cnf test.js openssl.cnf and test.js are in current working directory. And test.js contains a call to https.request. no error is given with a nonexistent openssl.cnf and supplying a valid openssl.cnf file with the suggested settings does not fix the issue. I also tried setting OPENSSL_CONF environment variable and no luck. I get the feeling this is likely specific to the Windows version of node, but that's just a guess. |
Right, it is silently ignored
I think you might be right, I can't confirm this as I'm on Linux, but when I later get access to a Windows PC I'll try. |
I had a similar issue on Windows using node 18.17.0 and npm 9.6.7 I had some success using a variation on the above answers by @mikaello and @ckcr4lyf where either the last or first line is changed respectively.
|
I use |
Version
v18.15.0
Platform
5.4.0-1089-azure #94~18.04.1-Ubuntu SMP Fri Aug 5 12:34:50 UTC 2022 x86_64 GNU/Linux
Subsystem
No response
What steps will reproduce the bug?
I recently upgraded the service that i was working on from node:14 to node:18, I was getting the following error
write EPROTO C057DCF6287F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled
When i investigated a bit, I found that in node:17 openssl was upgraded to 3.0.0, which resulted in removing the support for legacy cipher algorithms. And the workaround for the same was running with
--openssl-legacy-provider
.I tried running with this and it didn't work. Can you please help me here?
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior? Why is that the expected behavior?
As per the documentation,
--openssl-legacy-provider
should work and it should switch to the legacy provider of openssl 3.0.0. But i was still getting the same errorWhat do you see instead?
write EPROTO C057DCF6287F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled
Additional information
I tried running the service/script with the following command. (
app.js
is the file name)node --openssl-legacy-provider app.js
tried also doing thisnode app.js --openssl-legacy-provider
The text was updated successfully, but these errors were encountered: