Node: [Bug] Node 10.1.0 TLS issue with ldap: Client network socket disconnected before secure TLS connection was established
We are experiencing issue while login to ldap in paralele.
The service we use is verdaccio v3.0.2 with an Alpine linux docker container.
We use verdaccio-ldap module for the ldap authentication part.
We are experiencing issue due to multiple transactions to the LDAP through TLS.
This happens after upgrade to node 10.1.0.
Error: Client network socket disconnected before secure TLS connection was established
at TLSSocket.onConnectEnd (_tls_wrap.js:1092:19)
at Object.onceWrapper (events.js:273:13)
at TLSSocket.emit (events.js:187:15)
at endReadableNT (_stream_readable.js:1086:12)
at process._tickCallback (internal/process/next_tick.js:63:19)
- Version: Node 10.1.0 npm 6.1.0
- Platform: Debian
- Subsystem: Alpine
kopax
All 26 comments
Do you have a minimal code example (preferrably free of third party modules) that reproduces the error?
mscdex
on 2 Jun 2018
Unfortunately no, because the specs for reproducing are super computers :
- OpenLdap 2.4.44 in Debian Docker container on Host A
Verdaccio 3.0.2 in Alpine Docker container on Host A
GitLab-CE on Host B
- Gitlab-Runner on Host B
Each host has 32GB RAM, 8CPU. The local bandwidth is 10GPB/S.
We are not able to reproduce the bug without as much power, but if you got so, it is verry easy.
If you have that, you can use https://github.com/vesse/node-ldapauth-fork to authenticate using node to a secure OpenLap. Do that in parrallele and you'll get your error.
kopax
on 2 Jun 2018
I'm sorry, but this bug report is not actionable if there is no way to reproduce or establish it's a bug in Node.js core (since it could be a bug in one of the modules you're using.)
I'll close this out, let me know if you have a test case that doesn't depend on third-party components.
bnoordhuis
on 2 Jun 2018
Hey,
i get the same error, i am running on node v10.1.0 and OS is linux 16.04 x64
i tried requests and axios and the native https and the first two fall on the same error
and the https request never returns
to reproduce try the following:
npm install axios
const axios = require('axios');
axios.get('https://api.nasa.gov/planetary/apod?api_key=DEMO_KEY')
聽 .then(response => {
聽 聽 console.log(response.data.url);
聽 聽 console.log(response.data.explanation);
聽 })
聽 .catch(error => {
聽 聽 console.log(error);
聽 });
or with the https:
const https = require('https');
https.get('https://api.nasa.gov/planetary/apod?api_key=DEMO_KEY', (resp) => {
let data = '';
// A chunk of data has been recieved.
resp.on('data', (chunk) => {
data += chunk;
});
// The whole response has been received. Print out the result.
resp.on('end', () => {
console.log(JSON.parse(data).explanation);
});
}).on("error", (err) => {
console.log("Error: " + err.message);
});
ihabZhaika
on 10 Jun 2018
I also experience this issue with couple of URLs with Node v10.4.1 on macOS High Sierra Here is sample code to test.
const https = require('https');
https.get('https://supplychain.2go.com.ph', (resp) => {
let data = '';
resp.on('data', (chunk) => {
data += chunk;
});
resp.on('end', () => {
console.log(data);
});
}).on("error", (err) => {
console.log("Error: " + err.message);
});
tosbaha
on 24 Jun 2018
@tosbaha That's unrelated. You can verify with curl or openssl s_client that it's an issue with that host, not Node.js. It simply closes the connection right away.
bnoordhuis
on 24 Jun 2018
@bnoordhuis This web site works on Firefox,Safari,curl without any warning. It is using TLS 1.0 Is there a anyway for me to connect TLS 1.0 sites or it just won't work.
tosbaha
on 24 Jun 2018
Any way to solve this?
jor3l
on 13 Aug 2018
@jor3l
Here are the ways to solve this
- Use old version of NodeJS
- Use other ways to connect to web site such as Puppeteer if you are doing crawling.
NodeJS thinks that it is not their responsibility to support outdated sites. There is no workaround.
tosbaha
on 13 Aug 2018
I can't believe there isn't a way to turn off this level of strictness...
Please let me know if I'm missing something obvious
I am trying to do a simple Http GET request to a site which is using TLS 1.0
Node: v10.9.0
I get the response:
Client network socket disconnected before secure TLS connection was established
I appreciate that this is out-dated technology, but I have no power over the site I'm trying to connect to.
To people who stumble across this message, I'd suggest you check the security settings of the site you're attempting to connect to:
In Chrome
At time of writing @tosbaha example code (above), yields the same error:
https://github.com/nodejs/node/issues/21088#issuecomment-399782127
birksy89
on 17 Nov 2018
secure protocol to use is configurable by command line switch (only in recent master), and by secureProtocol option, see https://nodejs.org/api/all.html#https_https_request_url_options_callback, it mentions secureProtocol, and links to the docs.
sam-github
on 18 Nov 2018
Hi @sam-github
Thanks for the reply - Forgive my ignorance, I'm not very familiar with the platform.
I have updated my copy of Node to run v11.2.0 and using the links you provided, I came up with this - But it's still throwing the error:
const https = require('https');
const options = {
hostname: 'https://supplychain.2go.com.ph',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_method'
};
const req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.end();
Please can you let me know where I'm going wrong?
Thanks again
-Andrew
birksy89
on 19 Nov 2018
That server only allows insecure TLS 1.0 protocols that have been removed in OpenSSL in node 10.x and higher. You need to set the cipher list, and you need to use a version of openssl prior to 1.1.0, which means node 8.x. Browsers are very, very lenient wrt. insecure ciphers, apparently. Chrome and Lynx connect to that website, but wget and curl do not.
Try this: nvm i 8 && node --tls-cipher-list=DES-CBC3-SHA -e "require('https').get('https://supplychain.2go.com.ph', function(res) {res.pipe(process.stdout)});"
sam-github
on 19 Nov 2018
Thanks again for getting back to me.
I believe the current project has dependencies which require Node v 10+
I may have to shell this bit of responsibility off to it's own environment to pursue.
Thanks again for taking the time to respond.
-Andrew
birksy89
on 19 Nov 2018
@sam-github I am using node 10 and I also keep running into this error when request to www.googleapis.com, e.g. https://www.googleapis.com/blogger/v3/blogs/2399953?key=...
But I found it won't happen to https://samples.openweathermap.org, e.g. https://samples.openweathermap.org/data/2.5/weather?q=London,uk&appid=b6907d289e10d714a6e88b30761fae22
But they both use TLS 1.2 not TLS 1.0 as @birksy89 said. Why openweathermap won't complain ?
qiulang
on 3 Dec 2018
I believe this may be related to the servername option:
// throws
tls.connect({host: 'httpbin.org', port: 443});
// doesn't throw
tls.connect({host: 'httpbin.org', port: 443, servername: 'httpbin.org'});
Maybe it throws due to incorrect servername?
szmarczak
on 23 Dec 2018
Hi,
TLS1.0 is depricated protocol.
You must configure the server to work with the TLS1.2 protocol on all virtual hosts.
Slauta
on 24 Apr 2019
1. Use old version of NodeJS
can anybody tell me what is the latest node version supportin tls 1.0???
I have to access a server I cannot control, so I really need some way to connect to it.
Thanks a lot
opensas
on 2 May 2019
@opensas They all do, it's just disabled by default. Start node like this: node --tls-min-v1.0 app.js
bnoordhuis
on 2 May 2019
@bnoordhuis It appears that only v11 of node supports the --tls-min-v1.0 flag. See the docs for v11 and for v10
stetsmando
on 7 May 2019
Sorry, I should have said: They all do, it's just disabled by default _in some versions_. I asked about back-porting the switches in #27432.
bnoordhuis
on 7 May 2019
hi @bnoordhuis / @sam-github , when will this fix be released and as part of which node version?
saurabh14nov
on 9 May 2019
There are no bugs here to fix. TLS1.0 is supported even in master, check the unit tests: https://github.com/nodejs/node/blob/master/test/parallel/test-tls-min-max-version.js#L99
It is also supported in older versions. how to enable it depends on the version, more recent node has CLI options to change the defaults, older node has to use explicit TLS config, see the tests. EDIT: or docs for the relevant version
sam-github
on 10 May 2019
I just use axios instead of Http to send the request. That resolved my problem.
freedom19920918
on 22 Apr 2020
I can't believe there isn't a way to turn off this level of strictness...
Please let me know if I'm missing something obvious
I am trying to do a simple Http GET request to a site which is using TLS 1.0
Node: v10.9.0
I get the response:
Client network socket disconnected before secure TLS connection was established
I appreciate that this is out-dated technology, but I have no power over the site I'm trying to connect to.
To people who stumble across this message, I'd suggest you check the security settings of the site you're attempting to connect to:
In Chrome
At time of writing @tosbaha example code (above), yields the same error:
#21088 (comment)
use axios instead of http to send the request can reolve this problem
freedom19920918
on 22 Apr 2020
Its not particularly secure, but if absolutely required, --tls-min-v1.0 (and other related options, see docs) can be used to enable insecure TLS features.
sam-github
on 22 Apr 2020
Related issues
filipesilvaa
路
3Comments
addaleax
路
3Comments
dfahlander
路
3Comments
Brekmister
路
3Comments
danielstaleiny
路
3Comments
Most helpful comment
@bnoordhuis This web site works on Firefox,Safari,curl without any warning. It is using TLS 1.0 Is there a anyway for me to connect TLS 1.0 sites or it just won't work.