Node.js 10 HTTPS server is rejecting connections

Question

I have simple Node.js HTTPS server

const https = require('https');
const fs = require('fs');

const config = {
  key: fs.readFileSync('cert/server-key.pem'),
  cert: fs.readFileSync('cert/server-crt.pem'),
  ca: fs.readFileSync('cert/ca-crt.pem'),
};

const server = https.createServer(config, ((req, res) => {
  console.log('Got request');

  res.end();
}));

server.listen(3333);

I use curl on embedded system.

# curl -V
curl 7.52.1 (arm-unknown-linux-gnu) libcurl/7.52.1 wolfSSL/3.9.8
Protocols: file ftp ftps http https smtp smtps telnet tftp 
Features: IPv6 Largefile SSL UnixSockets  

When I use Node.js other then version 10 - everything works nicely.

HTTPS server running on Node.js v8.2.1

# curl -k -v "https://10.43.11.128:3333/"
*   Trying 10.43.11.128...
* TCP_NODELAY set
* Connected to 10.43.11.128 (10.43.11.128) port 3333 (#0)
* SSL connected
> GET / HTTP/1.1
> Host: 10.43.11.128:3333
> User-Agent: curl/7.52.1
> Accept: */*

HTTPS server running on Node.js v10.1.0

# curl -k -v "https://10.43.11.128:3333/"
*   Trying 10.43.11.128...
* TCP_NODELAY set
* Connected to 10.43.11.128 (10.43.11.128) port 3333 (#0)
* SSL_connect failed with error -313: revcd alert fatal error
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (35) SSL_connect failed with error -313: revcd alert fatal error

What has changed in Node.js 10 with regards to HTTPS? I suspect I'll have to change SSL settings but I am to sure how.

---

UPDATES:

Trying to access HTTP (Node.js v10.1.0)

# curl --insecure -v "10.43.11.128:3333/"
*   Trying 10.43.11.128...
* TCP_NODELAY set
* Connected to 10.43.11.128 (10.43.11.128) port 3333 (#0)
> GET / HTTP/1.1
> Host: 10.43.11.128:3333
> User-Agent: curl/7.52.1
> Accept: */*
> 
* Curl_http_done: called premature == 0
* Empty reply from server
* Connection #0 to host 10.43.11.128 left intact
curl: (52) Empty reply from server

Wireshark captured pcap file.

Answer 1

Problem is that the client is not broadcasting support for a cipher suite or extension that the server requires.

Some common solutions to this problem may be: - If using ECC, the server requires the Supported Curves Extension to be enabled. Compile wolfSSL with "--enable-supported curves" to resolve. - wolfSSL has static key cipher suites disabled by default for security. Please see note at the top of the README for instructions on re-enabling static-key cipher suites if your server requires them.

Here is the Thread which discuses the error which you have received . Hope this fixes you issue

Answer 2

Validate which headers curl sends, you can use the -v argument for that.

curl -vIX "https://10.43.11.128:3333/"

also In node,

just console.log(req._headers) after req.end() and compare your header to further solve the problem.Also i request to try wireshark (http://www.wireshark.org/) for ssl connection testing.

As it's working by --insecure but you need to know the reason.

--insecure

• (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.

Also can you please try this

const https = require("https"),
  fs = require("fs");

const options = {
  key: fs.readFileSync("/cert/server-key.pem"),
  cert: fs.readFileSync("/cert/server-cert.pem")
};

const app = express();

app.use((req, res) => {
  res.writeHead(200);
  res.end("hello world\n");
});

app.listen(8000);

https.createServer(options, app).listen(8080);