HTTP Request unsafe legacy renegotiation

General
,
1

Hi,

We're moving our flows from Node-Red V2.06 to V3.02

We have a subflow that connects to an older (Legacy) systems API. Under Node-Red V2 the http-request node works fine. Under V3 we get an error

RequestError: write EPROTO 886996BB0D7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:907:

Is there an option we can use through "ALPN Protocol" to Allow Legacy Renegotiation, or some other method. i.e. setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION to true?

Ideally we could just allow it on this Subflow connector for known legacy API but leave the others alone.

Thanks In Advanced
Harry

2

This looks to be something people are experiencing under certain conditions on nodejs v18+

You could try running node-red under node v16LTS

3

For node18, set secureOptions like below:

import * as https from 'https';
import * as crypto from "crypto";

axios.create({
      baseURL: baseURL,
      httpsAgent: new https.Agent({
        secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT,
      })
    });
4

Thanks this is very helpful and certainly a workaround.

Luckily, we where able to convince their IT of the security issue and the server SSL was updated and fixes our issue.

But once again, thank you so much for the workaround.
Harry

1 Like
5

Always the best first approach - fix the security problem rather than work around it! :slight_smile:

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.