Differences in https/tls between v4..v6..v8 #968
Description
Here's code that works and actually works (connects to server) in Node 4.8.6 and Node 6.12.0, but fails to connect in Node 8.9.1
const https = require('https');
const content = '{}';
const req = https.request({
hostname: 'api.sandbox.paydirekt.de',
port: 443,
path: '/api/merchantintegration/v1/token/obtain',
method: 'POST',
ciphers: 'ECDHE-RSA-AES256-GCM-SHA384'
}, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(JSON.stringify(content));
req.end();Target server supports specified cipher and has valid certificate. Console openssl establishes the connection successfully.
$ openssl s_client -connect "api.sandbox.paydirekt.de:443" -cipher "ECDHE-RSA-AES256-GCM-SHA384"
CONNECTED(00000005)
depth=1 C = US, O = "thawte, Inc.", CN = thawte EV SSL CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.2=Hessen/1.3.6.1.4.1.311.60.2.1.1=Frankfurt am Main/businessCategory=Private Organization/serialNumber=HRB 99538/C=DE/ST=Hessen/L=Frankfurt am Main/O=Paydirekt GmbH/CN=sandbox.paydirekt.de
i:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3
1 s:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate data ...
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.2=Hessen/1.3.6.1.4.1.311.60.2.1.1=Frankfurt am Main/businessCategory=Private Organization/serialNumber=HRB 99538/C=DE/ST=Hessen/L=Frankfurt am Main/O=Paydirekt GmbH/CN=sandbox.paydirekt.de
issuer=/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3517 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3A6B6B5F6E2555F9CA8DBB0A3747491471719E96B1CFBACA111E8E030BF1C66F
Session-ID-ctx:
Master-Key: 921C9884628D5D46AC01E0775970CF898FE824BAA3A926FD55093C6F2B958DF239CAD17A3F392E9669B8C320DE04E46A
Start Time: 1510592227
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I've no more ideas for fixes/workarounds. Do you have any?
All versions are latest, installed via Homebrew on latest MacOS 10.13.1.
Here are version details (process.versions):
v4:
{ http_parser: '2.7.0',
node: '4.8.6',
v8: '4.5.103.53',
uv: '1.9.1',
zlib: '1.2.11',
ares: '1.10.1-DEV',
icu: '58.2',
modules: '46',
openssl: '1.0.2m' }v6:
{ http_parser: '2.7.0',
node: '6.12.0',
v8: '5.1.281.108',
uv: '1.15.0',
zlib: '1.2.11',
ares: '1.10.1-DEV',
icu: '58.2',
modules: '48',
openssl: '1.0.2m' }v8:
{ http_parser: '2.7.0',
node: '8.9.1',
v8: '6.1.534.47',
uv: '1.15.0',
zlib: '1.2.11',
ares: '1.10.1-DEV',
modules: '57',
nghttp2: '1.25.0',
openssl: '1.0.2m',
icu: '59.1',
unicode: '9.0',
cldr: '31.0.1',
tz: '2017b' }I'll gladly provide additional details when needed.