npm does not respect strict-ssl and cafile

[madbence]

npm does not respects strict-ssl and cafile (I'm using a custom registry):

$ npm -v
2.3.0
$ node -v
v0.10.36
$ npm i [pkg] # fails, because the custom ca is not in the built-in list
$ npm i [pkg] --strict-ssl false
npm info retry will retry, error on last attempt: Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
$ npm i [pkg] --cafile /path/to/pem
npm info retry will retry, error on last attempt: Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

If I use the native https module, it works just fine:

require('https').get({ host: '...', rejectUnauthorized: false});
// or
require('https').get({ host: '...', ca: [require('fs').readFileSync('/path/to/pem')] })

Workarounds

• It works under node v0.11.15 as expected
• It works if I run npm with NODE_TLS_REJECT_UNAUTHORIZED=0 and --strict-ssl false

[smikes]

Thanks for the bug report. Since this works under node 0.11 and not 0.10, can you narrow down the failure to something in npm, or is it possible that it's node that is failing?

[madbence]

I guess it's something with npm or request.

I've patched node_modules/request/request.js with reqOptions.agent = false, and it works, so the problem is caused by a custom agent (reqOptions.agent = undefined also works, so globalAgent is fine).

It's weird, because it works under node v0.11

[madbence]

Ok, the root of the problem is afaik npm-registry-client, which creates an agent without rejectUnauthorized: false, so rejectUnauthorized: false in the request params is silently ignored.

[othiym23]

A bunch of people have noticed this regression, and it seems that we've broken --no-proxy as well over the last couple months. I'm going to try to get all of these addressed and into a 2.4.2 that I can sneak out the door alongside 2.5.0.

[madbence]

Awesome! 👍