Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

socket hang up on https request #9845

Closed
MrVoltz opened this issue Nov 29, 2016 · 9 comments

Comments

Projects
None yet
5 participants
@MrVoltz
Copy link

commented Nov 29, 2016

  • Version:v6.9.1
  • Platform:Linux 4.4.0-47-generic #68-Ubuntu SMP x86_64 GNU/Linux
  • Subsystem:tls

This code is giving me socket hang up error:

const https = require("https");
var req = https.request({
        host: 'www.tisknulevne.cz',
        port: 443,
        path:'/',
        method:'GET'
}, (res) => console.log("done", res));
req.end();
$ NODE_DEBUG="tls https http" node test.js 
HTTP 13990: call onSocket 0 0
HTTP 13990: createConnection www.tisknulevne.cz:443:::::::: { servername: 'www.tisknulevne.cz',
  _defaultAgent: 
   Agent {
     domain: null,
     _events: { free: [Function] },
     _eventsCount: 1,
     _maxListeners: undefined,
     defaultPort: 443,
     protocol: 'https:',
     options: { path: null },
     requests: {},
     sockets: { 'www.tisknulevne.cz:443::::::::': [] },
     freeSockets: {},
     keepAliveMsecs: 1000,
     keepAlive: false,
     maxSockets: Infinity,
     maxFreeSockets: 256,
     maxCachedSessions: 100,
     _sessionCache: { map: {}, list: [] } },
  host: 'www.tisknulevne.cz',
  port: 443,
  path: null,
  method: 'GET',
  _agentKey: 'www.tisknulevne.cz:443::::::::' }
HTTPS 13990: createConnection { servername: 'www.tisknulevne.cz',
  _defaultAgent: 
   Agent {
     domain: null,
     _events: { free: [Function] },
     _eventsCount: 1,
     _maxListeners: undefined,
     defaultPort: 443,
     protocol: 'https:',
     options: { path: null },
     requests: {},
     sockets: { 'www.tisknulevne.cz:443::::::::': [] },
     freeSockets: {},
     keepAliveMsecs: 1000,
     keepAlive: false,
     maxSockets: Infinity,
     maxFreeSockets: 256,
     maxCachedSessions: 100,
     _sessionCache: { map: {}, list: [] } },
  host: 'www.tisknulevne.cz',
  port: 443,
  path: null,
  method: 'GET',
  _agentKey: 'www.tisknulevne.cz:443::::::::',
  encoding: null }
HTTP 13990: sockets www.tisknulevne.cz:443:::::::: 1
HTTP 13990: outgoing message end.
TLS 13990: start
HTTP 13990: SOCKET ERROR: socket hang up Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1094:19)
    at TLSSocket.g (events.js:291:16)
    at emitNone (events.js:91:20)
    at TLSSocket.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickCallback (internal/process/next_tick.js:98:9)
events.js:160
      throw er; // Unhandled 'error' event
      ^

Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1094:19)
    at TLSSocket.g (events.js:291:16)
    at emitNone (events.js:91:20)
    at TLSSocket.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickCallback (internal/process/next_tick.js:98:9)

I traced it down to the tls module, this code still throws socket hang up error:

var socket = tls.connect({
        host: "www.tisknulevne.cz",
        port: 443
});
socket.end();

Ending the socket or not doesn't make difference. Opening the site in browser works fine, even wget and curl does.

$ curl -svvv https://www.tisknulevne.cz > /dev/null
* Rebuilt URL to: https://www.tisknulevne.cz/
*   Trying 217.198.118.57...
* Connected to www.tisknulevne.cz (217.198.118.57) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.0 / RSA_3DES_EDE_CBC_SHA1
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: tisknulevne.cz (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=tisknulevne.cz
* 	 start date: Thu, 19 May 2016 00:00:00 GMT
* 	 expire date: Fri, 19 May 2017 23:59:59 GMT
* 	 issuer: C=US,O=GeoTrust\, Inc.,OU=Domain Validated SSL,CN=Secure Site Starter DV SSL CA - G2
* 	 compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: www.tisknulevne.cz
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 29 Nov 2016 19:56:34 GMT
< Server: Microsoft-IIS/6.0
< X-Powered-By: ASP.NET
< Content-Type: text/html
< Expires: Tue, 29 Nov 2016 19:56:34 GMT
< Set-Cookie: ASPSESSIONIDQSBDRCDC=AAMFDOOCNMAMFBGAKGCNMBIP; path=/
< Cache-control: private
< Transfer-Encoding: chunked
< 
{ [16094 bytes data]
* Connection #0 to host www.tisknulevne.cz left intact

Other sites are fine, just this one.

@mscdex mscdex added the tls label Nov 29, 2016

@dstibrany

This comment has been minimized.

Copy link

commented Nov 30, 2016

We're having the same problem with various sites, .e.g. https://applications.bmi.com/Security/Login.aspx

Every site we're having a problem with, including the site mentioned by OP, is served by Microsoft IIS.

@dstibrany

This comment has been minimized.

Copy link

commented Nov 30, 2016

Adding ciphers: 'DES-CBC3-SHA' to the request options seems to fix it in my case.

@MrVoltz

This comment has been minimized.

Copy link
Author

commented Dec 1, 2016

Can confirm adding ciphers: 'DES-CBC3-SHA' fixes it. Why isn't that default, when in other apps it is?
If there is a good reason for it not being default, can you consider adding more descriptive error message than socket hang up?

@bnoordhuis

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

CBC ciphers are considered insecure. There isn't really any way for node.js to provide a better error message because the server simply terminates the connection instead of sending back a 'no suitable cipher' alert.

I'll go ahead and close the issue but feel free to ask follow-up questions.

@bnoordhuis bnoordhuis closed this Dec 1, 2016

@MrVoltz

This comment has been minimized.

Copy link
Author

commented Dec 1, 2016

I think if browser loads some page without complaints, node.js should too. If major browsers start rejecting CBC ciphers or marking them as insecure, node.js should too. Thats my opinion.

@bnoordhuis

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

The current default cipher list came about after ample discussion. We want node.js to be secure by default so you should expect it to become even stricter over time, not looser.

It's not a browser, it targets a different demographic than browsers do (users vs. programmers), so comparing them is not meaningful, IMO.

@bnoordhuis

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

Aside: you might be interested to know that while Chrome doesn't reject the connection outright, it does complain:

The connection to this site uses an obsolete protocol (TLS 1.0), an obsolete key exchange (RSA), and an obsolete cipher (3DES_EDE_CBC with HMAC-SHA1).

"Obsolete" is Chrome lingo for "on the chopping block and to be killed off when usage drops below a threshold."

@m-nathani

This comment has been minimized.

Copy link

commented May 30, 2018

ciphers: 'DES-CBC3-SHA' did fixed the problem. But thats strange why is it not adding that header in tls by default

@bnoordhuis

This comment has been minimized.

Copy link
Member

commented May 30, 2018

Because DES-CBC3-SHA is an insecure cipher.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.