HTTP Request unsafe legacy renegotiation

HarryPottar · 6 January 2023 19:16

Hi,

We're moving our flows from Node-Red V2.06 to V3.02

We have a subflow that connects to an older (Legacy) systems API. Under Node-Red V2 the http-request node works fine. Under V3 we get an error

RequestError: write EPROTO 886996BB0D7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:907:

Is there an option we can use through "ALPN Protocol" to Allow Legacy Renegotiation, or some other method. i.e. setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION to true?

Ideally we could just allow it on this Subflow connector for known legacy API but leave the others alone.

Thanks In Advanced
Harry

Steve-Mcl · 6 January 2023 20:48

This looks to be something people are experiencing under certain conditions on nodejs v18+

You could try running node-red under node v16LTS

lqt123l · 19 February 2023 01:17

For node18, set secureOptions like below:

import * as https from 'https';
import * as crypto from "crypto";

axios.create({
      baseURL: baseURL,
      httpsAgent: new https.Agent({
        secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT,
      })
    });

HarryPottar · 19 February 2023 13:54

Thanks this is very helpful and certainly a workaround.

Luckily, we where able to convince their IT of the security issue and the server SSL was updated and fixes our issue.

But once again, thank you so much for the workaround.
Harry

TotallyInformation · 19 February 2023 16:39

Always the best first approach - fix the security problem rather than work around it!

system · 5 March 2023 16:39

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.