Closed JohanSpannare closed 3 years ago
@isaacs please have a look at this issue
what you're providing isn't environment variables, they're command line flags. we definitely do not pass unknown command line flags through to node proper, so you're right that doesn't work and deliberately will not.
as for your root concern of being able to specify a minimum tls version, that could potentially be implemented as a new feature but if there's an incompatibility in the proxy agent we leverage then it likely won't be done until a fix lands upstream.
what you're providing isn't environment variables, they're command line flags. we definitely do not pass unknown command line flags through to node proper, so you're right that doesn't work and deliberately will not.
as for your root concern of being able to specify a minimum tls version, that could potentially be implemented as a new feature but if there's an incompatibility in the proxy agent we leverage then it likely won't be done until a fix lands upstream.
Yes, they are arguments, but you can also set them by editing js files.
The problem are still there, TLS Client Hello message from https-proxy-agent is not following the RFC standard. It sends protocol version 1.0, but at the same time uses client version 1.2. This is not valid and will be dropped by WAF (Web Application Firewall/ F5).
And the HTTP connection header is set to close, but what will cause the TLS negotiation to fail since F5 will close the connection (RFC standard) when the Client Hello message is not supported (We only support version >1.2 in TLS).
NPM CLI is saidly not supporting TLS >1.0 over HTTPS Proxy when its using HTTPS-PROXY-AGENT as its module for proxy´s. Either HTTPS-PROXY-AGENT need to be patched, or NPM CLI need to take use of some other module for it´s proxy support.
npm `v6` is no longer in active development; We will continue to push security releases to `v6` at our team's discretion as-per our Support Policy.
If your bug is reproducible on `v7`, please re-file this issue using our new issue template.
If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo
Closing: This is an automated message.
Possibility to force min and max TLS version to use by npm vis proxy.
npm is by default (see wireshark) trying to use TLSv1 witch is not supported by our proxy. Have tried to find a way to configure node/npm to honor
--tls-min-v1.2 and or --tls-cipher-list=list
without success.
Wireshark dump (NOT WORKING)
Wireshark dump (WORKING)
Conclusion
When using proxy, TLSv1.2 is not used in the protocol version, so it seams to me that the proxy used is the problem.
RFC 5246
RFC States that protocol version should match the version of TLS used.
https://tools.ietf.org/html/rfc5246#section-7.4
Logs
The first example below show the request without any configurations (TLSv1), the second request has min and max version set, it still uses protocol TLSv1, but annonce 1.2 in supported protocols.
TLS Options used to force TLSv1.2
Workaround
Remove "headers.Connection = 'close';" at line 111 in "C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\agent.js" seams to "work around" the problem.
TooTallNate/node-https-proxy-agent#18
This PR will solve this issue TooTallNate/node-https-proxy-agent/pull/112