Tests failing under Node.js 17

[dominykas]

Bug Description

Ran tests under Node.js 17, got the following:

 FAIL  test/tls-client-cert.js 3 failed of 3 100.353ms
 ✖ error:0A00018E:SSL routines::ca md too weak
 ✖ should be equal
 ✖ test unfinished

See also in actions: https://github.com/dominykas/undici/runs/4105824000?check_suite_focus=true#step:10:10005

Reproducible By

npm t

Expected Behavior

✅

Logs & Screenshots

Full stack traces

 FAIL  test/tls-client-cert.js
 ✖ error:0A00018E:SSL routines::ca md too weak

  test/tls-client-cert.js                                   
  52 |       method: 'GET'                                  
  53 |     }, (err, { statusCode, body }) => {              
> 54 |       t.error(err)                                   
     | --------^                                            
  55 |       t.equal(statusCode, 200)                       
  56 |                                                      
  57 |       const authorized = client[kSocket].authorized  

  test: test/tls-client-cert.js Client using valid client certificate
  origin:
    at:
      line: 65
      column: 13
      file: node:internal/tls/secure-context
    stack: |
      Array.forEach (<anonymous>)
      Client.connect (lib/core/connect.js:31:20)
      socket (lib/client.js:1144:25)
      new Promise (<anonymous>)
      connect (lib/client.js:1143:26)
    library: SSL routines
    reason: ca md too weak
    code: ERR_SSL_CA_MD_TOO_WEAK
  found:
    !error
    name: Error
    message: error:0A00018E:SSL routines::ca md too weak
    stack: >-
      Error:
          at node:internal/tls/secure-context:65:13
          at Array.forEach (<anonymous>)
          at setCerts (node:internal/tls/secure-context:63:3)
          at configSecureContext (node:internal/tls/secure-context:152:5)
          at Object.createSecureContext (node:_tls_common:116:3)
          at Object.connect (node:_tls_wrap:1621:48)
          at Client.connect (/Users/dominykas/devel/libs/undici/lib/core/connect.js:31:20)
          at socket (/Users/dominykas/devel/libs/undici/lib/client.js:1144:25)
          at new Promise (<anonymous>)
          at connect (/Users/dominykas/devel/libs/undici/lib/client.js:1143:26)
    library: SSL routines
    reason: ca md too weak
    code: ERR_SSL_CA_MD_TOO_WEAK
  stack: |
    test/tls-client-cert.js:54:9
    lib/api/api-request.js:122:14

 FAIL  test/tls-client-cert.js
 ✖ should be equal

  test/tls-client-cert.js                                   
  53 |     }, (err, { statusCode, body }) => {              
  54 |       t.error(err)                                   
> 55 |       t.equal(statusCode, 200)                       
     | --------^                                            
  56 |                                                      
  57 |       const authorized = client[kSocket].authorized  
  58 |       t.ok(authorized)                               

  test: test/tls-client-cert.js Client using valid client certificate
  found: null
  wanted: 200
  compare: ===
  stack: |
    test/tls-client-cert.js:55:9
    lib/api/api-request.js:122:14

 FAIL  test/tls-client-cert.js
 ✖ test unfinished

  test/tls-client-cert.js                                                  
  18 | }                                                                   
  19 |                                                                     
> 20 | test('Client using valid client certificate', t => {                
     | ^                                                                   
  21 |   t.plan(5)                                                         
  22 |                                                                     
  23 |   const server = https.createServer(serverOptions, (req, res) => {  

  test: Client using valid client certificate
  stack: |
    Object.<anonymous> (test/tls-client-cert.js:20:1)

test/tls-client-cert.js 2> TypeError: Cannot read properties of null (reading 'authorized')
test/tls-client-cert.js 2>     at /Users/dominykas/devel/libs/undici/test/tls-client-cert.js:57:42
test/tls-client-cert.js 2>     at RequestHandler.runInAsyncScope (node:async_hooks:199:9)
test/tls-client-cert.js 2>     at /Users/dominykas/devel/libs/undici/lib/api/api-request.js:122:14
test/tls-client-cert.js 2>     at node:internal/process/task_queues:141:7
test/tls-client-cert.js 2>     at AsyncResource.runInAsyncScope (node:async_hooks:199:9)
test/tls-client-cert.js 2>     at AsyncResource.runMicrotask (node:internal/process/task_queues:138:8)
test/tls-client-cert.js 2>     at processTicksAndRejections (node:internal/process/task_queues:96:5)
 FAIL  test/tls-client-cert.js 3 failed of 3 100.353ms
 ✖ error:0A00018E:SSL routines::ca md too weak
 ✖ should be equal
 ✖ test unfinished

Environment

Node.js 17.0.1 on Linux and macOS

Additional context

May or may not be related to NODE_OPTIONS=--openssl-legacy-provider (tests don't run at all without this; I haven't yet taken the time to understand what that is all about).

Somewhat related: I'm a couple of other PRs away from opening a PR for #1071, which would add Node.js 17 into the test matrix.

[mcollina]

This seems fixed

[dominykas]

I think it was set to be skipped in c5b7d03 rather than fixed per se?

[mcollina]

Apparently so. I don't see much of a problem for that in the short term.