Comments (16)
metcoder95
commented on May 24, 2024
2
I'm still having some hard times reproducing, most likely might be doing it wrong; though, an openssl.cnf example for a customized behaviour should follow a similar format:
nodejs_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv2
CipherString = DEFAULT:@SECLEVEL=2
And should be passed down to node using its either flag or the environment variable OPENSSL_CONFIG.
e.g. flag
node --openssl-config /path/to/config script.js
or through env var
OPENSSL_CONF=/path/to/config node script.js
from undici.
Poyoman39
commented on May 24, 2024
1
Hi @metcoder95 sry for wrong issue report. I tried with your openssl.cnf format and it's working fine. I bet i miss-unerstood the tutorials about how to write this file πΆβπ«οΈ
from undici.
Poyoman39
commented on May 24, 2024
1
@metcoder95 i closed this issue a bit too fast. I succeed to reproduce the bug with previous openssl version. Here is how to proceed :
This openssl.cnf file
nodejs_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=2
Then node --openssl-config ./openssl.cnf and execute
const { Agent, setGlobalDispatcher, fetch } = await import('undici');
setGlobalDispatcher(new Agent({ connect: { rejectUnauthorized: false, } }))
await fetch('https://www.aerocontact.com/entreprise-aeronautique/societe-latecoere-1128/offres-emploi-aeronautique?')
This will throw ERR_SSL_DH_KEY_TOO_SMALL.
PS : If you get UND_ERR_CONNECT_TIMEOUT error, just run the fetch again (this website is really slow)
from undici.
metcoder95
commented on May 24, 2024
1
Nice, thanks! I was able to reproduce it; Now, lowering the sec level to 1 did the trick for me; did you try it already?
nodejs_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1
from undici.
metcoder95
commented on May 24, 2024
1
ah, ok sorry, now I got you π
And no, it doesn't work like that; the rejectUnauthorized is meant for CAs, as it will mandate whether or not reject requests whose certificate has a valid CA (avoiding self-signed or similar)
from undici.
metcoder95
commented on May 24, 2024
1
You can do it by passing the cipher property to the Agent under the connect scope, e.g.
setGlobalDispatcher(
new Agent({
allowH2: true,
connect: {
rejectUnauthorized: false,
ciphers: 'DEFAULT:@SECLEVEL=2',
}
})
)That should do the work π
from undici.
Poyoman39
commented on May 24, 2024
1
I confirm this is working fine π€© Thank you for your time ! :)
The solution working for my case:
const { Agent, setGlobalDispatcher, fetch } = await import('undici');
setGlobalDispatcher(new Agent({ connect: { ciphers: 'DEFAULT:@SECLEVEL=1' } }))
await fetch('https://www.aerocontact.com/entreprise-aeronautique/societe-latecoere-1128/offres-emploi-aeronautique?')
from undici.
Poyoman39
commented on May 24, 2024
1
Found the documentation ^^. For those landing on this issue, it's located here: https://undici.nodejs.org/#/docs/api/Client?id=parameter-connectoptions with a link to this documentation: https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
from undici.
metcoder95
commented on May 24, 2024
I've tried to reproduce it without luck. When trying to reproduce it with also another local reproduction still do not have any luck, fetch fails if rejectUnauthorized is set to true and goes through otherwise.
const server = createServer(pem, (req, res) => {
res.writeHead(200, { 'content-type': 'text/plain' })
res.end('hello h1!')
})
setGlobalDispatcher(new Agent({ connect: { rejectUnauthorized: false } }))
server.listen(0, () => {
const { port, address, family } = server.address()
const host = family === 'IPv6' ? `[${address}]` : address
fetch(`https://${host}:${port}`).then(
res => {
console.log(res.status, res.statusText)
},
err => console.log(err)
).then(() => server.close())
})from undici.
Poyoman39
commented on May 24, 2024
Hi @metcoder95 thank you for your quick answer. I made some tests and i did not reproduce on linux with OpenSSL 3.1.x. Maybe the problem come whith OpenSSL 3.2.0 ... I'm searching a bit more to be sure.
from undici.
Poyoman39
commented on May 24, 2024
I made some tests i think (for reasons i don't know) undici ignores openssl configuration.
I edited /etc/ssl/openssl.cnf file on my system
With Following configuration (low sec level) :
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1
I get this this =>
Curl working :
curl 'https://www.aerocontact.com/entreprise-aeronautique/societe-latecoere-1128/offres-emploi-aeronautique?'
node.js fetch throw
With default configuration (normal sec level) or this configuration :
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv2
CipherString = DEFAULT:@SECLEVEL=2
Curl :
curl 'https://www.aerocontact.com/entreprise-aeronautique/societe-latecoere-1128/offres-emploi-aeronautique?'
Output : > curl: (35) OpenSSL/3.2.0: error:0A00018A:SSL routines::dh key too small
Node.js Fetch fails but it's normal
I hope this helps
from undici.
Poyoman39
commented on May 24, 2024
It seems to me undici with node.js use its own openssl service / configuration file and ignore system configuration and --openssl-config argument
from undici.
Poyoman39
commented on May 24, 2024
I guess it was working on some of my servers since openssl changed it's default security levels recently and my servers were just a bit late.
from undici.
Poyoman39
commented on May 24, 2024
Hi @metcoder95 yes lowering it to 1 do the trick to me too, and that's why i closed the issue a bit quickly first.
Then i remembered my issue was that setGlobalDispatcher(new Agent({ connect: { rejectUnauthorized: false, } })) does not make fetch ignore this error ^^
Should't rejectUnauthorized: false make the request work even with "bad sec level" ?
from undici.
Poyoman39
commented on May 24, 2024
Good to know π.
Do you think it would be possible to have a boolean controlling if its possible to disable this security check on one request ? Or does it need to be done at node.js level ?
This would be useful so it's possible to decrease security only for specific requests :)
from undici.
Poyoman39
commented on May 24, 2024
By the way do you think it worth a mention in the official Agent documentation ? I don't find reference of such ciphers parameter ^^
from undici.
Related Issues (20)
- `Response.body` is type of `PassThrough` instead of `ReadableStream` HOT 4
- Is there a plan to add options for setting HTTP headers on EventSource? HOT 6
- test/client-request.js, 'request dump' test case always takes ~ 5 seconds HOT 5
- Module parse failed: Unexpected token (874:57) undici/lib/web/fetch/util.js HOT 6
- `undici.fetch` breaks on Node.js <=18.13.0 in [email protected] HOT 10
- Retry handler should send if-match on retry request
- Type 'Agent' is not assignable to type 'Dispatcher'. HOT 5
- Invalid URL error when browser process it successfully HOT 3
- Memory issues / many instances of MaxListenersExceededWarning when using Undici via Elasticsearch HOT 7
- New docs website HOT 9
- Observations regarding instability of native fetch in AWS Lambda x86_64 nodejs20.x HOT 25
- NextJS: Module parse failed: Unexpected token HOT 1
- throwOnError does not work on HTTPParserError HOT 4
- HTTP/2 request after receiving a "GOAWAY" frame hangs HOT 1
- Race condition at-or-near keep-alive expiration HOT 6
- Long-lived AbortSignals and undici cause MaxListenersExceededWarnings
- Add a workflow to automatically update WPTs
- Type 'string' is not assignable to type 'HttpMethod'.ts(2345) HOT 1
- Client not following redirects HOT 1
- Disallow force push into protected branches (main, next) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from undici.