mgcrea/node-tydom-client

SSL routines:final_renegotiate:unsafe legacy renegotiation disabled

Opened this issue · 4 comments

kcgthb commented

Hi!

When using the Tydom's local IP instead of the default mediation.tydom.com, the program fails with an SSL error, even with NODE_TLS_REJECT_UNAUTHORIZED=0:

$ export NODE_TLS_REJECT_UNAUTHORIZED=0
$ npx tydom-client request /ping --username 00XXXXXXXXXX --password XXXXXXXX --hostname 192.168.0.XXX
Creating tydom client ...
Connecting to hostname='192.168.0.XXX' with username='00XXXXXXXXXX' ...
  tydom-client About to GET request with url='https://192.168.0.XXX/mediation/client?mac=00XXXXXXXXXX&appli=1' +0ms
(node:109230) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
tydom request [uri]

request tydom

Positionals:
  uri  request uri                                           [string] [required]

Options:
      --version   Show version number                                  [boolean]
      --username  tydom username                             [string] [required]
      --password  tydom password                             [string] [required]
      --hostname  request hostname
                            [string] [required] [default: "mediation.tydom.com"]
      --method    request method                       [string] [default: "GET"]
      --command   request command                     [boolean] [default: false]
  -v, --verbose   Run with verbose logging                             [boolean]
      --help      Show help                                            [boolean]
      --file      save to file                                          [string]

Examples:
  tydom request /info --file info.json

RequestError: write EPROTO C087DDC9357F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893:

    at ClientRequest.<anonymous> (/tmp/node_modules/got/dist/source/core/index.js:970:111)
    at Object.onceWrapper (node:events:628:26)
    at ClientRequest.emit (node:events:525:35)
    at origin.emit (/tmp/node_modules/@szmarczak/http-timer/dist/source/index.js:43:20)
    at TLSSocket.socketErrorListener (node:_http_client:494:9)
    at TLSSocket.emit (node:events:513:28)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
    at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
  code: 'EPROTO',
  timings: {
    start: 1672346359527,
    socket: 1672346359532,
    lookup: 1672346359539,
    connect: 1672346359539,
    secureConnect: undefined,
    upload: 1672346359545,
    response: undefined,
    end: undefined,
    error: 1672346359547,
    abort: undefined,
    phases: {
      wait: 5,
      dns: 7,
      tcp: 0,
      tls: undefined,
      request: 6,
      firstByte: undefined,
      download: undefined,
      total: 20
    }
  }
}

The same command works when removing the --hostname option.

Is this a known issue?

Versions:
"mainVersionSW": "03.04.15",
"mainVersionHW": "00.00.01"

mgcrea commented

You have to downgrade your NodeJS version to 16.0 as 17+ started to ship with OpenSSL 3.0 that disables some legacy SSL schemes. Does not look like there is a flag to force enable it in NodeJS.

abstract-entity commented

Hey,
Same here i've try without success:

Adding env var:
NODE_OPTIONS=--openssl-legacy-provider

Setting conf for SSL:
OPENSSL_CONF=/data/openssl.cnf

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

Modifying library with this in utils/tydom.js

https: {
    rejectUnauthorized: isRemote,
    certificateAuthority: fs.readFileSync('/data/tydom.pem'),
    secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
}```
myhomeiot commented

FYI: Homebridge docker container with node.js 16.18.0 has a tag oznu/homebridge:2022-10-14, all later versions node.js 18.12.1

myhomeiot commented

@abstract-entity Hello, I manage to run lattes version of Homebridge docker container with node.js 18.13.0 by creating openssl.cnf in homebridge home directory and point it by OPENSSL_CONF environment variable by command:

sudo docker run -itd \
--name=homebridge \
--net=host \
--restart always \
-e PUID=1000 -e PGID=1000 \
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
-e OPENSSL_CONF=/homebridge/openssl.cnf \
...
-v /usr/share/homebridge:/homebridge \
oznu/homebridge:latest

openssl.cnf

nodejs_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation