Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

socket hang up on https request #9845

Closed
MrVoltz opened this issue Nov 29, 2016 · 9 comments
Closed

socket hang up on https request #9845

MrVoltz opened this issue Nov 29, 2016 · 9 comments
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@MrVoltz
Copy link

MrVoltz commented Nov 29, 2016
edited
Loading

This code is giving me socket hang up error:

const https = require("https");
var req = https.request({
        host: 'www.tisknulevne.cz',
        port: 443,
        path:'/',
        method:'GET'
}, (res) => console.log("done", res));
req.end();

$ NODE_DEBUG="tls https http" node test.js 
HTTP 13990: call onSocket 0 0
HTTP 13990: createConnection www.tisknulevne.cz:443:::::::: { servername: 'www.tisknulevne.cz',
  _defaultAgent: 
   Agent {
     domain: null,
     _events: { free: [Function] },
     _eventsCount: 1,
     _maxListeners: undefined,
     defaultPort: 443,
     protocol: 'https:',
     options: { path: null },
     requests: {},
     sockets: { 'www.tisknulevne.cz:443::::::::': [] },
     freeSockets: {},
     keepAliveMsecs: 1000,
     keepAlive: false,
     maxSockets: Infinity,
     maxFreeSockets: 256,
     maxCachedSessions: 100,
     _sessionCache: { map: {}, list: [] } },
  host: 'www.tisknulevne.cz',
  port: 443,
  path: null,
  method: 'GET',
  _agentKey: 'www.tisknulevne.cz:443::::::::' }
HTTPS 13990: createConnection { servername: 'www.tisknulevne.cz',
  _defaultAgent: 
   Agent {
     domain: null,
     _events: { free: [Function] },
     _eventsCount: 1,
     _maxListeners: undefined,
     defaultPort: 443,
     protocol: 'https:',
     options: { path: null },
     requests: {},
     sockets: { 'www.tisknulevne.cz:443::::::::': [] },
     freeSockets: {},
     keepAliveMsecs: 1000,
     keepAlive: false,
     maxSockets: Infinity,
     maxFreeSockets: 256,
     maxCachedSessions: 100,
     _sessionCache: { map: {}, list: [] } },
  host: 'www.tisknulevne.cz',
  port: 443,
  path: null,
  method: 'GET',
  _agentKey: 'www.tisknulevne.cz:443::::::::',
  encoding: null }
HTTP 13990: sockets www.tisknulevne.cz:443:::::::: 1
HTTP 13990: outgoing message end.
TLS 13990: start
HTTP 13990: SOCKET ERROR: socket hang up Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1094:19)
    at TLSSocket.g (events.js:291:16)
    at emitNone (events.js:91:20)
    at TLSSocket.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickCallback (internal/process/next_tick.js:98:9)
events.js:160
      throw er; // Unhandled 'error' event
      ^

Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1094:19)
    at TLSSocket.g (events.js:291:16)
    at emitNone (events.js:91:20)
    at TLSSocket.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickCallback (internal/process/next_tick.js:98:9)

I traced it down to the tls module, this code still throws socket hang up error:

var socket = tls.connect({
        host: "www.tisknulevne.cz",
        port: 443
});
socket.end();

Ending the socket or not doesn't make difference. Opening the site in browser works fine, even wget and curl does.

$ curl -svvv https://www.tisknulevne.cz > /dev/null
* Rebuilt URL to: https://www.tisknulevne.cz/
*   Trying 217.198.118.57...
* Connected to www.tisknulevne.cz (217.198.118.57) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.0 / RSA_3DES_EDE_CBC_SHA1
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: tisknulevne.cz (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=tisknulevne.cz
* 	 start date: Thu, 19 May 2016 00:00:00 GMT
* 	 expire date: Fri, 19 May 2017 23:59:59 GMT
* 	 issuer: C=US,O=GeoTrust\, Inc.,OU=Domain Validated SSL,CN=Secure Site Starter DV SSL CA - G2
* 	 compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: www.tisknulevne.cz
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 29 Nov 2016 19:56:34 GMT
< Server: Microsoft-IIS/6.0
< X-Powered-By: ASP.NET
< Content-Type: text/html
< Expires: Tue, 29 Nov 2016 19:56:34 GMT
< Set-Cookie: ASPSESSIONIDQSBDRCDC=AAMFDOOCNMAMFBGAKGCNMBIP; path=/
< Cache-control: private
< Transfer-Encoding: chunked
< 
{ [16094 bytes data]
* Connection #0 to host www.tisknulevne.cz left intact

Other sites are fine, just this one.
@mscdex mscdex added the tls Issues and PRs related to the tls subsystem. label Nov 29, 2016
@dstibrany
Copy link

We're having the same problem with various sites, .e.g. https://applications.bmi.com/Security/Login.aspx

Every site we're having a problem with, including the site mentioned by OP, is served by Microsoft IIS.

@dstibrany
Copy link

Adding ciphers: 'DES-CBC3-SHA' to the request options seems to fix it in my case.

@MrVoltz
Copy link
Author

MrVoltz commented Dec 1, 2016

Can confirm adding ciphers: 'DES-CBC3-SHA' fixes it. Why isn't that default, when in other apps it is?
If there is a good reason for it not being default, can you consider adding more descriptive error message than socket hang up?

@bnoordhuis
Copy link
Member

CBC ciphers are considered insecure. There isn't really any way for node.js to provide a better error message because the server simply terminates the connection instead of sending back a 'no suitable cipher' alert.

I'll go ahead and close the issue but feel free to ask follow-up questions.

@MrVoltz
Copy link
Author

MrVoltz commented Dec 1, 2016

I think if browser loads some page without complaints, node.js should too. If major browsers start rejecting CBC ciphers or marking them as insecure, node.js should too. Thats my opinion.

@bnoordhuis
Copy link
Member

The current default cipher list came about after ample discussion. We want node.js to be secure by default so you should expect it to become even stricter over time, not looser.

It's not a browser, it targets a different demographic than browsers do (users vs. programmers), so comparing them is not meaningful, IMO.

@bnoordhuis
Copy link
Member

Aside: you might be interested to know that while Chrome doesn't reject the connection outright, it does complain:

The connection to this site uses an obsolete protocol (TLS 1.0), an obsolete key exchange (RSA), and an obsolete cipher (3DES_EDE_CBC with HMAC-SHA1).

"Obsolete" is Chrome lingo for "on the chopping block and to be killed off when usage drops below a threshold."

@dege88 dege88 mentioned this issue Jan 24, 2017
Closed
@kunKun-tx kunKun-tx mentioned this issue Mar 2, 2017
Open
@brian-mann brian-mann mentioned this issue Sep 12, 2017
Closed
@cjbj cjbj mentioned this issue Dec 3, 2017
Closed
@gautamsi gautamsi mentioned this issue Jan 18, 2018
Closed
@m-nathani
Copy link

ciphers: 'DES-CBC3-SHA' did fixed the problem. But thats strange why is it not adding that header in tls by default

@bnoordhuis
Copy link
Member

Because DES-CBC3-SHA is an insecure cipher.

This was referenced Jun 11, 2018
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mscdex @bnoordhuis @dstibrany @MrVoltz @m-nathani