Apply workaround for tls in https://npm.sap.com

[CCFenner]

Do you have any more context for this change? Is this temporary?

[fwilhe]

Do you have any more context for this change? Is this temporary?

We upgraded the image from debian 9 to 10 (to get a newer jre) and with that we get an error from npm.sap.com:

docker run -it --rm ppiper/node-browsers bash
node@34773fec5dd5:/$ cd
node@34773fec5dd5:~$ echo "{}" > package.json
node@34773fec5dd5:~$ npm install @sap/cds
npm ERR! code EPROTO
npm ERR! errno EPROTO
npm ERR! request to https://npm.sap.com/@sap%2fcds failed, reason: write EPROTO 140020372662080:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../deps/openssl/openssl/ssl/t1_lib.c:1111:
npm ERR!

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/node/.npm/_logs/2019-11-27T08_35_33_329Z-debug.log

I think the certificate is at fault, but this is a workaround until that is fixed.

[nevskrem]

@fwilhe I'd be in favor of lowering the standard only particularly to meet our requirement of supporting 'old fashined' server certificates by modifying the openssl.cnf like CIPHERS="$(openssl ciphers)" && sed -i "s/DEFAULT@SECLEVEL=2/$CIPHERS:DH-RSA-AES256-SHA256/g" /etc/ssl/openssl.cnf.

[fwilhe]

@fwilhe I'd be in favor of lowering the standard only particularly to meet our requirement of supporting 'old fashined' server certificates by modifying the openssl.cnf like CIPHERS="$(openssl ciphers)" && sed -i "s/DEFAULT@SECLEVEL=2/$CIPHERS:DH-RSA-AES256-SHA256/g" /etc/ssl/openssl.cnf.

Thanks, that also works. Updated the PR.

[fwilhe]

Hi @CCFenner, @nevskrem are you ok with this change? I'd like to merge it to make the latest tag of this image usable again (currently only v2 works).

[nevskrem]

Fine from my PoV 👍

[fwilhe]

Fine from my PoV 👍

I still need an approval :)

[CCFenner]

Sorry, can't judge this.

[CCFenner]

I just came across the same issue with SAP/cloud-mta-build-tool.

Is this a general fix or temporary workaround? Will npm.sap.com fix this issue?

fyi @ShimiT

[ShimiT]

I just came across the same issue with SAP/cloud-mta-build-tool.

Is this a general fix or temporary workaround? Will npm.sap.com fix this issue?

fyi @ShimiT

@CCFenner - This does not affect MBT, we face the same issue a few months ago when we upgrade our images to Debian buster, as SAP npm repo doesn't support buster new security upgrade,the default configuration for OpenSSL in Buster explicitly requires using more secure ciphers and protocols, the server running at http://npm.sap.com/ is running software configured to only provide insecure, older ciphers. this causes SSL connections using OpenSSL from a Buster based installation to fail we use sed -i -E 's/(CipherString\s*=\s*DEFAULT@SECLEVEL=)2/\11/' /etc/ssl/openssl.cnf to overcome this, we will remove it once SAP npm repo will patch the security level.

[CCFenner]

@ShimiT I meant the Cloud MBT Docker image:

docker run -it devxci/mbtci:1.0.1 bash

mta@e27f80187a8f:~$ npm install --prefix ~ @sap/cds

npm ERR! code EPROTO
npm ERR! errno EPROTO
npm ERR! request to https://npm.sap.com/@sap%2fcds failed, reason: write EPROTO 140223909664640:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../deps/openssl/openssl/ssl/t1_lib.c:1111:
npm ERR! 

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/mta/.npm/_logs/2019-11-28T11_49_08_978Z-debug.log