New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL negotiation error when on a network that uses legacy TLS renegotiation #26310
Comments
Hi @johnnyreilly, thanks for reporting this. Another possible workaround would be to set the At the same time, it feels odd that the KeyVault service is using legacy negotiation. Strangely, our internal test matrix that includes Node 18 and 20 doesn't seem to be impacted by this issue. @timovv are you able to reproduce this behavior on Node18? |
This is strange. I use Node 18 on a daily basis and have never run into this issue. I tried just now running the example provided and it works as expected. From what I gather, legacy TLS renegotiation would only kick in if the service for whatever reason didn't support RFC 5746. I'm skeptical that this would be the case for Key Vault, or indeed any Azure service, given that legacy SSL has a known vulnerability to MITM attacks dating back to 2009 (CVE-2009-3555). The only situation I could imagine encountering something like this off the top of my head would be if accessing Key Vault via a proxy that only supports legacy SSL. I don't suppose that there could be anything like that in the mix with the setup you used to test this, @johnnyreilly? |
Oh that's interesting - I'm not familiar with this approach. Are there docs? |
That's a great question. This is done from a corporate network. And most traffic on that network is subject to SSL interception ( https://docs.netscaler.com/en-us/citrix-adc/13/forward-proxy/ssl-interception.html ) - probably with Palo Alto https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspection Do you think that's a likely cause? |
I'd say that that's very likely to have something to do with it. With a proxy like that in effect, the client is performing the TLS handshake with the proxy instead of the Key Vault service, so all bets are off as to what happens. The proxy's CA certificate would also have to be trusted for this to work, which could cause problems, but if that was the issue I would have expected a more specific error. In terms of attaching an additional policy as Jeff described above, there's no formal docs that I'm aware of -- this is quite an advanced use case. But it would look something like this (haven't tested; I think const client = new SecretClient(process.env.KEYVAULT_URI, new DefaultAzureCredential(), {
additionalPolicies: [
{
policy: {
name: "legacySSLRenegotiationPolicy",
sendRequest(request, next) {
request.agent = sslLegacyAgent;
return next(request);
},
},
position: "perCall",
}
]
}); |
Given that this is a private network issue rather than an SDK one, I'm not sure there's much we can do for this issue. I don't think we want to change the default behavior of the platform in a way that reduces security. |
Agreed. To add to that, I would caution against using the workaround in a production environment given the security implications. I'm going to close this issue, but feel free to drop any further questions here regardless :) |
Thanks - using the workaround is a necessity for now, it's that or we have nothing that works. That said, I'll try and talk to our networking folk and see what they have to ssy |
Just to follow up, we were able to confirm that the cause for this was Palo Alto performing SSL inspection and downgrading TLS along the way. We've got remedies in place on our side now so we don't need the workaround. Thanks for the discussion - this was useful input into our discussions. ❤️ |
Glad to hear your networking folks were able to help! |
Hi Jonny, |
We have an allowlist of domains which are exempt from SSL interception. We added the Azure domains to that list |
Describe the bug
With Node.js 18, legacy SSL support was disabled by default. As a consequence, when a library makes use of legacy SSL, a message like this presents:
For some reason, it seems that the Azure KeyVault uses legacy TLS, and the consequence of that is that when you try to use the
@azure/keyvault-secrets
package with Node.js 18, it errors out thusly:To Reproduce
Steps to reproduce the behavior:
Expected behavior
API calls work.
Screenshots
N/A
Additional context
It's possible to work around the problem like so: (this is based upon this blog post: https://johnnyreilly.com/node-18-axios-and-unsafe-legacy-renegotiation-disabled which in turn came from this Stack Overflow entry: https://stackoverflow.com/questions/74324019/allow-legacy-renegotiation-for-nodejs/77335383#77335383 )
The text was updated successfully, but these errors were encountered: