SSL Error After Upgrading Application To Node 18

[tcs-cclaflin]

We have an application that connects to vault that we are trying to upgrade from Node 14 to Node 18. Node 18 introduced a change in the ssl library that is causes SSL issues with our instance of vault. The error we are seeing is:

Error: write EPROTO 389B736FE57F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:921:

Recommended solutions when searching that error is to change the SSL configuration at the endpoint (which we can't do easily at this time) or implement SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION or SSL_OP_LEGACY_SERVER_CONNECT as described here: nodejs/node#45378

I found an example of adding securityOptions in pass_request_options.js and tried adding multiple variations (secureOptions, securityOptions, agentOptions, etc.) of that to the options section in the application:

    const options = {
      apiVersion: "v1",
      endpoint: "<SANITIZED>",
      token: process.env.VAULT_TOKEN,
      secureOptions: 'SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION',
      agentOptions: {
        secureOptions: 'SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION',
      },
    };

Can someone confirm what the correct option should be for this package and if this is the correct location to try and implement it?

[TJM]

We hit this issue too, this is not a node or node-vault issue. The latest version of OpenSSL, which apparently the latest node container is using requires the destination to not have unsafe renegotiation. There are workarounds (configurations you can put into the openssl config), or you can get the target web service to secure itself properly.

[aviadhahami]

@tcs-cclaflin - heya! sorry you bump into that;

I'd follow @TJM 's recommendation on upgrading the other server as it makes less sense to unsecure this app in order for it to be backward compatible;
That being said - it's not always easy.

Please feel free to open a PR to this bug once finding the appropriate location for these configurations

[tcs-cclaflin]

Thank you for the replies, unfortunately we don't control the vault endpoint so will have to coordinate with multiple other teams (infrastructure, security, etc.) to try and get it changed.

seeing this in example/pass_request_options.js made me think it was possible to just override it in this library somehow.

    agentOptions: {
        cert: 'mycert',
        key: 'mykey',
        passphrase: 'password',
        securityOptions: 'SSL_OP_NO_SSLv3',
    },

openssl isn't even installed in the image so unsure if creating a custom openssl config would work and was hoping to not have to go that route.

[Mehak-Baig-Insignia]

Any updates on how to resolve this issue ?