SSL routines:final_renegotiate:unsafe legacy renegotiation disabled
Opened this issue · 4 comments
Hi!
When using the Tydom's local IP instead of the default mediation.tydom.com
, the program fails with an SSL error, even with NODE_TLS_REJECT_UNAUTHORIZED=0
:
$ export NODE_TLS_REJECT_UNAUTHORIZED=0
$ npx tydom-client request /ping --username 00XXXXXXXXXX --password XXXXXXXX --hostname 192.168.0.XXX
Creating tydom client ...
Connecting to hostname='192.168.0.XXX' with username='00XXXXXXXXXX' ...
tydom-client About to GET request with url='https://192.168.0.XXX/mediation/client?mac=00XXXXXXXXXX&appli=1' +0ms
(node:109230) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
tydom request [uri]
request tydom
Positionals:
uri request uri [string] [required]
Options:
--version Show version number [boolean]
--username tydom username [string] [required]
--password tydom password [string] [required]
--hostname request hostname
[string] [required] [default: "mediation.tydom.com"]
--method request method [string] [default: "GET"]
--command request command [boolean] [default: false]
-v, --verbose Run with verbose logging [boolean]
--help Show help [boolean]
--file save to file [string]
Examples:
tydom request /info --file info.json
RequestError: write EPROTO C087DDC9357F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893:
at ClientRequest.<anonymous> (/tmp/node_modules/got/dist/source/core/index.js:970:111)
at Object.onceWrapper (node:events:628:26)
at ClientRequest.emit (node:events:525:35)
at origin.emit (/tmp/node_modules/@szmarczak/http-timer/dist/source/index.js:43:20)
at TLSSocket.socketErrorListener (node:_http_client:494:9)
at TLSSocket.emit (node:events:513:28)
at emitErrorNT (node:internal/streams/destroy:151:8)
at emitErrorCloseNT (node:internal/streams/destroy:116:3)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
code: 'EPROTO',
timings: {
start: 1672346359527,
socket: 1672346359532,
lookup: 1672346359539,
connect: 1672346359539,
secureConnect: undefined,
upload: 1672346359545,
response: undefined,
end: undefined,
error: 1672346359547,
abort: undefined,
phases: {
wait: 5,
dns: 7,
tcp: 0,
tls: undefined,
request: 6,
firstByte: undefined,
download: undefined,
total: 20
}
}
}
The same command works when removing the --hostname
option.
Is this a known issue?
Versions:
"mainVersionSW": "03.04.15",
"mainVersionHW": "00.00.01"
You have to downgrade your NodeJS version to 16.0 as 17+ started to ship with OpenSSL 3.0 that disables some legacy SSL schemes. Does not look like there is a flag to force enable it in NodeJS.
Hey,
Same here i've try without success:
Adding env var:
NODE_OPTIONS=--openssl-legacy-provider
Setting conf for SSL:
OPENSSL_CONF=/data/openssl.cnf
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
Modifying library with this in utils/tydom.js
https: {
rejectUnauthorized: isRemote,
certificateAuthority: fs.readFileSync('/data/tydom.pem'),
secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
}```
FYI: Homebridge docker container with node.js 16.18.0 has a tag oznu/homebridge:2022-10-14
, all later versions node.js 18.12.1
@abstract-entity Hello, I manage to run lattes version of Homebridge docker container with node.js 18.13.0 by creating openssl.cnf
in homebridge home directory and point it by OPENSSL_CONF
environment variable by command:
sudo docker run -itd \
--name=homebridge \
--net=host \
--restart always \
-e PUID=1000 -e PGID=1000 \
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
-e OPENSSL_CONF=/homebridge/openssl.cnf \
...
-v /usr/share/homebridge:/homebridge \
oznu/homebridge:latest
openssl.cnf
nodejs_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation