Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Error After Upgrading Application To Node 18 #239

Open
tcs-cclaflin opened this issue Jul 21, 2023 · 4 comments
Open

SSL Error After Upgrading Application To Node 18 #239

tcs-cclaflin opened this issue Jul 21, 2023 · 4 comments

Comments

@tcs-cclaflin
Copy link

We have an application that connects to vault that we are trying to upgrade from Node 14 to Node 18. Node 18 introduced a change in the ssl library that is causes SSL issues with our instance of vault. The error we are seeing is:

Error: write EPROTO 389B736FE57F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:921:

Recommended solutions when searching that error is to change the SSL configuration at the endpoint (which we can't do easily at this time) or implement SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION or SSL_OP_LEGACY_SERVER_CONNECT as described here: nodejs/node#45378

I found an example of adding securityOptions in pass_request_options.js and tried adding multiple variations (secureOptions, securityOptions, agentOptions, etc.) of that to the options section in the application:

    const options = {
      apiVersion: "v1",
      endpoint: "<SANITIZED>",
      token: process.env.VAULT_TOKEN,
      secureOptions: 'SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION',
      agentOptions: {
        secureOptions: 'SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION',
      },
    };

Can someone confirm what the correct option should be for this package and if this is the correct location to try and implement it?
@TJM
Copy link

TJM commented Jul 28, 2023
edited

We hit this issue too, this is not a node or node-vault issue. The latest version of OpenSSL, which apparently the latest node container is using requires the destination to not have unsafe renegotiation. There are workarounds (configurations you can put into the openssl config), or you can get the target web service to secure itself properly.

@aviadhahami
Copy link
Collaborator

@tcs-cclaflin - heya! sorry you bump into that;

I'd follow @TJM 's recommendation on upgrading the other server as it makes less sense to unsecure this app in order for it to be backward compatible;
That being said - it's not always easy.

Please feel free to open a PR to this bug once finding the appropriate location for these configurations

@tcs-cclaflin
Copy link
Author

Thank you for the replies, unfortunately we don't control the vault endpoint so will have to coordinate with multiple other teams (infrastructure, security, etc.) to try and get it changed.

seeing this in example/pass_request_options.js made me think it was possible to just override it in this library somehow.

    agentOptions: {
        cert: 'mycert',
        key: 'mykey',
        passphrase: 'password',
        securityOptions: 'SSL_OP_NO_SSLv3',
    },

openssl isn't even installed in the image so unsure if creating a custom openssl config would work and was hoping to not have to go that route.

@Mehak-Baig-Insignia
Copy link

Any updates on how to resolve this issue ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TJM @aviadhahami @tcs-cclaflin @Mehak-Baig-Insignia