Stopped working with Node LTS 18? ("Error: error:0308010C:digital envelope routines::unsupported")

[pano9000]

Hello,

when I try to run some code, that uses node-http-ntlm, using the latest Node LTS (currently v18.12.1) it results in an error:

node:internal/crypto/cipher:116
    this[kHandle].initiv(cipher, credential, iv, authTagLength);
                  ^
Error: error:0308010C:digital envelope routines::unsupported
    at Cipheriv.createCipherBase (node:internal/crypto/cipher:116:19)
    at Cipheriv.createCipherWithIV (node:internal/crypto/cipher:135:3)
    at new Cipheriv (node:internal/crypto/cipher:243:3)
    at Object.createCipheriv (node:crypto:141:10)
    at encrypt (C:\folder\node_modules\httpntlm\ntlm.js:265:20)
    at create_LM_hashed_password_v1 (C:\folder\node_modules\httpntlm\ntlm.js:269:27)
    at Object.createType3Message (C:\folder\node_modules\httpntlm\ntlm.js:181:70)
    at sendType3Message (C:\folder\node_modules\httpntlm\httpntlm.js:77:23)
    at Immediate.<anonymous> (C:\folder\node_modules\httpntlm\httpntlm.js:101:4)
    at process.processImmediate (node:internal/timers:471:21) {
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v18.12.1

Running the same code with the previous LTS (v16) I am not experience that issue.

According to [1], it seems to be having to do with some breaking change that happened in node.js v17 related to openssl. A "workaround" apparently is to use "--openssl-legacy-provider" with node or downgrading to v16 - both of which do not feel like a "real solution".

Is anyone else experiencing the same issue with node v18, or is it just me?

[1] https://stackoverflow.com/questions/69692842/error-message-error0308010cdigital-envelope-routinesunsupported

[skrtheboss]

After some debugging I found, that the problem relies in those two blocks:

https://github.com/SamDecrock/node-http-ntlm/blob/7058d3482a95bdf7f8686653a9e361d6f3abd20d/ntlm.js#L366-L371 https://github.com/SamDecrock/node-http-ntlm/blob/7058d3482a95bdf7f8686653a9e361d6f3abd20d/ntlm.js#L373-L391

One is using md4 and the other DES-ECB which have both been removed in the default provider of OpensslV3, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers.

[pano9000]

So I guess, this leaves us 2 paths for NTLMv1

1. accept and use the --openssl-legacy-provider mode as long as it still exists - however that is something that would need to be mentioned in the README then
2. replace these hashing methods by external implementations/dependencies

---

I also found another project facing a similar issue here: https://github.com/tediousjs/tedious/issues/1447 (Although they just talk about md4 in that issue).

There also exists a fork of "node-http-ntlm", which seems to be doing exactly what I described in point 2) from above: https://github.com/ftechhelp/request-simple-ntlm-md4 (I haven't tested it though)

@SamDecrock what do you think?

[arzooChhatani]

I have checked this fork https://github.com/ftechhelp/request-simple-ntlm-md4 but it's throwing same error :-

Error: error:0308010C:digital envelope routines::unsupported

@SamDecrock ,

[pano9000]

@arzooChhatani thanks for checking. I assume it does show the same error, because that fork only replaced the 'MD4', but not 'DES-ECB'. For 'DES-ECB' it still uses node's crypto module, which of course depends on OpenSSL, so we would need some replacement for 'DES-ECB' as well

[arzooChhatani]

@SamDecrock , any plan to handle this ?

[cjnoname]

We got the same issue here

[arzooChhatani]

@SamDecrock , any plan to handle this ?

[arzooChhatani]

@SamDecrock , any plan to handle this ?

[arzooChhatani]

@SamDecrock , any plan to handle this on node 18 ?

[cjnoname]

Hi @SamDecrock,

Could you please look into this issue? Everyone who is using this package cannot upgrade to NodeJS 18.

Thanks, CJ

[arzooChhatani]

@SamDecrock , any plan to handle this on node 18 ?

[skrtheboss]

I have seen that someone opened a pull request in the axios-ntlm repository, which could be applied in this repository as well. They have used des.js for replacing the DES-ECB call and js-md4 for the md4 call.

[arzooChhatani]

HI @skrtheboss, I tried using axios-ntlm repository, they haven't replaced DES-ECB and md4 call at every places. It is still throwing digital envelope routines error in node 18.

[skrtheboss]

Hi @arzooChhatani, i have created new npm packages, since i could not wait for this to be released.	package	description
@node-ntlm/core	Node.js NTLM utility package
@node-ntlm/httpreq	Node.js library to do HTTP NTLM authentication with httpreq

Let me know if they work out for you, or if you have any suggestions/issues.

[arzooChhatani]

Hi @skrtheboss , I have tried using httpreq package in node 14 and node 18 but I am getting Couldn't find NTLM in the message type2 comming from the server error. Could you please help me to resolve this problem ?

[skrtheboss]

@arzooChhatani can you create a reproduction repo somewhere?

[skrtheboss]

@arzooChhatani can you try with the v0.3.1 version?

[arzooChhatani]

@skrtheboss , I have tried with version v0.3.0 , will try with v0.3.1 and let you know.

[arzooChhatani]

@skrtheboss , its still not working, when I tried to debug I found out that we are not getting proper response from server in www-authenticate headers.

[arzooChhatani]

@skrtheboss , changes done in createType1Message is causing that error . Could you please try to compare it with one present in httpntlm . When I replace this function with one present in httpntlm, it worked for me. Could you please check?

[skrtheboss]

@arzooChhatani i think i have found the issue, can you try with the v0.3.2. Thank you!

[arzooChhatani]

@skrtheboss , I have verified its working now . Thank you

[skrtheboss]

Perfect, thank you for your time/feedback.

[MPParsley]

Hi @skrtheboss, thanks for the fix. Could you document steps to migrate from this project?

[skrtheboss]

It should actually be very straightforward. For example:

const httpreq = require('httpntlm');

function fetchNtlm() {
    httpreq.get({
        url: 'http://ntlm-endpoint/api',
        username: 'test',
        password: 'test'
    }, (error, res) => {
        if (error) {
            console.error('An error occurred!', error);
        } else {
            console.log(res.body);
        }
    })
}

fetchNtlm();

Should look like this:

const httpreq = require('@node-ntlm/httpreq');

async function fetchNtlm() {
    try {
        const res = await httpreq.get({
            url: 'http://ntlm-endpoint/api',
            username: 'test',
            password: 'test'
        })

        console.log(res.body);
    } catch (error) {
        console.error('An error occurred!', error);
    }
}

fetchNtlm();

[MPParsley]

Thank you @skrtheboss. As such? https://github.com/StadGent/node_service_adlib-backend/pull/97/files#diff-adfe1df457e66ec8fdc773c3e0e1b0badff9448167269161b7f135b43f315c6fR1

[SamDecrock]

Hi, I fixed it in version 1.8.3 Sorry for the big delay and thanks for the pointers on how to fix it