Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] npm fails to install package npm ERR! errno EPROTO #6070

Closed
2 tasks done
WhaleyBoomer opened this issue Jan 19, 2023 · 10 comments
Closed
2 tasks done

[BUG] npm fails to install package npm ERR! errno EPROTO #6070

WhaleyBoomer opened this issue Jan 19, 2023 · 10 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release

Comments

@WhaleyBoomer
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm fails to install any packages and gives following errors:
14:08:30:276 ====Executing command 'npm install react-dom --save-prod '====
14:08:30:276
14:09:43:819 npm ERR! code EPROTO
14:09:43:821 npm ERR! syscall write
14:09:43:824 npm ERR! errno EPROTO
14:09:43:826 npm ERR! request to https://registry.npmjs.org/react-dom failed, reason: write EPROTO C84A0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:922:
14:09:43:827 npm ERR!
14:09:43:828 npm ERR! A complete log of this run can be found in:
14:09:43:829 npm ERR! C:\Users\Whaley\AppData\Local\npm-cache_logs\2023-01-19T20_08_32_441Z-debug-0.log
14:09:43:843
14:09:43:843 ====npm command completed with exit code 1====
14:09:43:843

Expected Behavior

Expect packages to install

Steps To Reproduce

  1. Visual Studio 2022 or with Command Prompt
  2. With this config...
  3. Run '...'
  4. 14:08:30:276 ====Executing command 'npm install react-dom --save-prod '====
    14:08:30:276
    14:09:43:819 npm ERR! code EPROTO
    14:09:43:821 npm ERR! syscall write
    14:09:43:824 npm ERR! errno EPROTO
    14:09:43:826 npm ERR! request to https://registry.npmjs.org/react-dom failed, reason: write EPROTO C84A0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:922:
    14:09:43:827 npm ERR!
    14:09:43:828 npm ERR! A complete log of this run can be found in:
    14:09:43:829 npm ERR! C:\Users\Whaley\AppData\Local\npm-cache_logs\2023-01-19T20_08_32_441Z-debug-0.log
    14:09:43:843
    14:09:43:843 ====npm command completed with exit code 1====
    14:09:43:843

Environment

  • npm: 8.19.2
  • Node.js:18.12.1
  • OS Name:Windows 10 21H1
  • System Model Name:Dell Latitude 5490
  • npm config:
; copy and paste output from `npm config ls` here
C:\Users\Whaley\source\repos\ReactExample\ReactExample>npm config ls
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\Whaley\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v18.12.1
; npm local prefix = C:\Users\Whaley\source\repos\ReactExample\ReactExample
; npm version = 8.19.2
; cwd = C:\Users\Whaley\source\repos\ReactExample\ReactExample
; HOME = C:\Users\Whaley
; Run `npm config ls -l` to show all defaults.
@WhaleyBoomer WhaleyBoomer added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Jan 19, 2023
@fritzy
Copy link
Contributor

fritzy commented Mar 1, 2023

Likely your connecting to a server or through a proxy of some sort that uses legacy SSL options. This is a network or registry configuration issue.

@fritzy fritzy closed this as completed Mar 1, 2023
@Stargator
Copy link

@fritzy, what would be the workaround or solution for this? Because I agree it's a network issue for me and the network won't change anything because they see a security issue in how NPM is pulling down packages.

This is from the my network IT folks:

This means, when executing the 'npm install' command to pull source files to your project will fail. The break and inspect of the network traffic causes the security in Node.JS to error. It is because of the traffic is being re-signed.

This re-signing of the packages is what is causing a security issue for us. And they don't see a workaround on their end.

@ljharb
Copy link
Contributor

ljharb commented Apr 21, 2023

Re-signing traffic like that is a security issue; they’re explicitly being a “man in the middle”.

@lucas-labs
Copy link

lucas-labs commented May 11, 2023

Is there any workaround?
We are migrating from node v16 to lts and this error is being a nightmare. I understand openssl provides SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION to "bypass" this, but I guess there's not way to tell npm to switch that option on.

I understand this is a network issue, and I agree the solution should be not to re-sign cetificates, but that's something many companies do for some reason (I'm not a network engineer so I can't think of any valid reason, but maybe there's one).

Shouldn't at least exists a last resource "allow unsafe renegotiation at your own risk" option? Right now, the only workaround is to not use node > v18

@Stargator
Copy link

I agree with @lucas-labs there are organizations that do not trust the public NPM registry to contain safe non-malicious software. So it's only naturally that they want to scan the contents for any threats.

@ljharb
Copy link
Contributor

ljharb commented May 19, 2023

fwiw the only reasonable way to do this is an internal registry, and NOT to hijack SSL traffic.

@camAtGitHub
Copy link

No love for the people behind a corporate firewall and intercepting proxy? Fear not!
This is from the view point of getting Neovim working which is using node under the hood (and all the problems were node related). You might have to perform either the first or both steps depending on your situation.

  • Create a file called openssl.cnf with the contents:
# File: ~/.npm/openssl.cnf
nodejs_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
  • Next you need the CA cert from the intercepting proxy, one way to get it via openssl s_client -connect registry.npmjs.org:443 --showcerts and grab the bottom most certificate block.
  • Save that somewhere eg. ~/.npm/ca.pem
    • example: cat ~/.npm/ca.pem
-----BEGIN CERTIFICATE-----
ICAgICAgQSBncm91cCBvZiB3b3JrZXJzLCBib3VuZCBieSBhIGNvcnBvcmF0ZSB3YWxsLAogICAg
ICBUaGVpciBvbmxpbmUgZnJlZWRvbSBoYWx0ZWQgYnkgYSBmaXJld2FsbCdzIGNhbGwuCiAgICAg
IEJ1dCB0aGVuIGFycml2ZWQgYSBtYW4sIG15c3RlcmlvdXMgYW5kIHRydWUsCiAgICAgIFRvIGd1
aWRlIHRoZW0gdG93YXJkcyBhIGJyZWFrdGhyb3VnaC4KCiAgICAgIEhlIGxlZCB0aGVtIHRocm91
Z2ggdGhlIHByb3h5LCB3aXRoIHNraWxsIGFuZCBjaGFybSwKICAgICAgQW5kIHRoZWlyIGhlYXJ0
cyBzYW5nIGFzIHRoZXkgc2F3IGhpcyBmYWNlLCB3YXJtLgogICAgICBGb3IgaGUgd2FzIHRoZWly
IHNhdmlvciwgb24gdGhhdCBmYXRlZnVsIGRheSwKICAgICAgQSBoZXJvIHRoZXknZCByZW1lbWJl
ciwgY29tZSB3aGF0IG1heS4KCg==
-----END CERTIFICATE-----
  • and then finally launch node / nvim with the following ENV VARS. NODE_EXTRA_CA_CERTS=~/.npm/ca.pem OPENSSL_CONF=~/.npm/openssl.cnf
    • eg. NODE_EXTRA_CA_CERTS=~/.npm/ca.pem OPENSSL_CONF=~/.npm/openssl.cnf node
    • additionally you may have to set/export your http_proxy and https_proxy vars if you haven't already - but you can google that.

@giuliohome
Copy link

giuliohome commented Feb 28, 2024

Is there a way to set

Options = UnsafeLegacyRenegotiation

(or the newer unsafe server connect)
so that it takes effect on npm i ?
It should be a matter of configuring the openssl that npm install is using, right?

@giuliohome
Copy link

giuliohome commented Feb 28, 2024

Maybe this is relevant to make the above said configuration effective:

With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named nodejs_conf.

🤨🧐🤔

It should be

nodejs_conf = openssl_init

etc... as @camAtGitHub wrote: I'll try asap.

@giuliohome
Copy link

giuliohome commented Feb 29, 2024

Nope :-( I still get an error

localhost:~/node/test# npm i node-fetch  --loglevel verbose
npm verb cli /usr/bin/node /usr/bin/npm
npm info using npm@10.4.0
npm info using node@v20.11.1
npm verb title npm i node-fetch
npm verb argv "i" "node-fetch" "--loglevel" "verbose"
npm verb logfile logs-max:10 dir:/root/.npm/_logs/2024-02-29T08_04_10_081Z-
npm verb logfile /root/.npm/_logs/2024-02-29T08_04_10_081Z-debug-0.log
npm verb type system
npm verb stack FetchError: request to https://registry.npmjs.org/node-fetch failed, reason: A86959FFCD7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:892:
npm verb stack
npm verb stack     at ClientRequest.<anonymous> (/usr/lib/node_modules/npm/node_modules/minipass-fetch/lib/index.js:130:14)
npm verb stack     at ClientRequest.emit (node:events:518:28)
npm verb stack     at _destroy (node:_http_client:875:13)
npm verb stack     at onSocketNT (node:_http_client:895:5)
npm verb stack     at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
npm verb cwd /root/node/test
npm verb Linux 6.6.14-0-lts
npm verb node v20.11.1
npm verb npm  v10.4.0
npm ERR! code ERR_SSL_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
npm ERR! errno ERR_SSL_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
npm ERR! request to https://registry.npmjs.org/node-fetch failed, reason: A86959FFCD7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:892:
npm ERR!
npm verb exit 1
npm verb unfinished npm timer reify 1709193850421
npm verb unfinished npm timer reify:loadTrees 1709193850426
npm verb code 1

npm ERR! A complete log of this run can be found in: /root/.npm/_logs/2024-02-29T08_04_10_081Z-debug-0.log

I see that this is not a pure node issue, because

node --openssl-config ~/.npm/openssl.cnf https.js

does work while

node  https.js

throws hence the node started from npm is not getting the right config for some reason...

🎉 OK, finally solved ❤️ , I had a typo in my export OPENSSL_CONF=~/.npm/openssl.cnf 🙌

I confirm it now works with

[system_default_sect]
# Options = UnsafeLegacyRenegotiation
Options = UnsafeLegacyServerConnect

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Development

No branches or pull requests

7 participants