Nuxt.js: Server-side HTTPs requests to API fail: 'sslv3 alert handshake failure'

Created on 2 Mar 2018  路  3Comments  路  Source: nuxt/nuxt.js

I'm building a Nuxt application utilising server-side rendering and a Vuex connecting to an external API. I want to fill my store with some data on application start - on (re)load basically - right now it only fetches data when you navigate to one of the pages using the internal links of the application. SSR isn't working as well.

So I'm trying to use nuxtServerInit in index.js (I'm using Vuex modules) and dispatch an action to one of my store modules. The axios request causes an error however: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure, this error doesn't occur when axios does the same request from the client-side.

I think I've narrowed it down to this node https issue. When I run a plain Node https request from nuxtServerInit I get the error, but when I append 'ecdhCurve' : 'auto' to the request options the request resolves normally. Is it possible to configure Nuxt to automatically append the option to all https request of my application, or is that bad practice and is the API server I'm connecting to at fault here?

This fails:

    const request = https.get({
      hostname: 'api.example.com',
      path: '/my/endpoint'
    })

This works:

    const request = https.get({
      hostname: 'api.example.com',
      path: '/my/endpoint',
      ecdhCurve: 'auto'
    })

I'm running Node v9.6.1 (Homebrew version, but it fails on a Linux box as well with v9.5.0) and Nuxt 1.4.0.

This question is available on Nuxt.js community (#c2545)
picture mensch

Most helpful comment

If client isn't affected, you might want to do

const tls = require('tls')
tls.DEFAULT_ECDH_CURVE = 'auto'

somewhere, for example in server.js (your file) or even at the top of nuxt.config.js.
This will only affect the server module and not go to the client at all.

Regarding security, as far as I understood the 8.x.x release accidentally shipped a strict setting for curves (but not the most secure one), and they can't change the default until 10.x.x because of LTS/semver reasons.
In 10.x.x it is 'auto' so I doubt that's a very insecure option.

picture qm3ster on 3 Mar 2018
👍3

All 3 comments

I've been poking around in the configuration of the API server and changed the ssl_ecdh_curve value of nginx to prime256v1 instead of secp384r1 and requests now go through properly and SSR is working. Using secp521r1 also works, so I'm not really sure what's going on here.

mensch picture mensch on 2 Mar 2018

If client isn't affected, you might want to do

const tls = require('tls')
tls.DEFAULT_ECDH_CURVE = 'auto'

somewhere, for example in server.js (your file) or even at the top of nuxt.config.js.
This will only affect the server module and not go to the client at all.

Regarding security, as far as I understood the 8.x.x release accidentally shipped a strict setting for curves (but not the most secure one), and they can't change the default until 10.x.x because of LTS/semver reasons.
In 10.x.x it is 'auto' so I doubt that's a very insecure option.

qm3ster picture qm3ster on 3 Mar 2018
👍3

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 4 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

danieloprado picture danieloprado  路  3Comments
vadimsg picture vadimsg  路  3Comments
vadimsg picture vadimsg  路  3Comments
bimohxh picture bimohxh  路  3Comments
shyamchandranmec picture shyamchandranmec  路  3Comments