Custom Registry Unexpected Error - EPROTO error:1408F10B:SSL routines:ssl3_get_record:wrong version

[ccnav]

Bug description

I The the following error whenever i do a yarn install with a simple package.json file and a custom http:// registry. Yarn switches to using it via https:// for some reason which sets off a series of other failures (such as the one in the topic). yarn also stops referencing the provided user/pass combo provided in the set registry option:

Command

# Set a custom registry
yarn config set registry "http://user:pass@custom-registry:8082/artifactory/api/npm/npm-remote/"

# This fails...
yarn install

What is the current behavior?

....
verbose 6.205884195 Performing "GET" request to "https://custom-registry:8082/artifactory/api/npm/npm-remote/defu/-/defu-3.1.0.tgz".
verbose 6.217219449 Performing "GET" request to "https://custom-registry:8082/artifactory/api/npm/npm-remote/@nuxtjs/proxy/-/proxy-2.0.1.tgz".
verbose 6.226892631 Error: write EPROTO 140086489155456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:

    at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:96:16)
error An unexpected error occurred: "https://custom-registry:8082/artifactory/api/npm/npm-remote/@nuxtjs/axios/-/axios-5.12.2.tgz: write EPROTO 140086489155456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
".
info If you think this is a bug, please open a bug report with the information provided in "/src/spaces/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
info There appears to be trouble with your network connection. Retrying...
^C

What is the expected behavior? Previously we were pointing at the internet and everything just works awesome; before I go straight to blaming our new enforced corporate setup to use Artifactory and the mirrored repository (which seems logical at this point) I wanted to share some strange things that occur with the --verbose switch set with yarn install (aside from the Error I'm getting where it all abruptly haults):

1. The first stage of the yarn install correctly references the URL (which is in form http://user:pass@host:port) and succeeds.
2. The second stage of the yarn install once all the dependencies have been worked out, the URL just changes to https://host:port.
   • http becomes https. This is not even identified as the registry entry; so I'm not sure why it's doing this. I had to add yarn config set "strict-ssl" false to get past other issues happening here.
   • host and port are still correct
   • user and pass are just dropped completely from URL
3. npm works perfectly using the same custom registry without error. Ideally i'd much rather use yarn though since that was what we've been using for a year or 2 now.

Steps to Reproduce Command

# the preparation
mkdir testing
cd testing
cat << _EOF > package.json
{
  "name": "bug",
  "version": "1.0.0",
  "description": "bug-reporting-reproduction",
  "author": "bug-reporter",
  "private": true,
  "scripts": {
    "dev": "nuxt",
    "build": "nuxt build",
    "start": "nuxt start",
    "generate": "nuxt generate",
    "lint": "eslint --ext .js,.vue --ignore-path .gitignore .",
    "test": "jest"
  },
  "dependencies": {
    "@nuxtjs/axios": "^5.3.6",
    "chart.js": "^2.9.3",
    "highlight.js": "^9.18.1",
    "luxon": "^1.24.1",
    "mapbox-gl": "^1.11.0",
    "nuxt": "^2.0.0",
    "nuxt-i18n": "^6.12.2",
    "papaparse": "5.2.0",
    "vue-chartjs": "^3.5.0",
    "vue-fullscreen": "^2.1.6",
    "vue-highlight.js": "^3.1.0",
    "vue-mapbox": "^0.4.1",
    "vue-papa-parse": "1.3.0",
    "vue-zoomer": "^0.3.6",
    "vuelidate": "^0.7.5",
    "vuex-persist": "^2.2.0"
  },
  "devDependencies": {
    "@nuxtjs/eslint-config": "^2.0.0",
    "@nuxtjs/eslint-module": "^1.0.0",
    "@nuxtjs/vuetify": "^1.0.0",
    "@vue/test-utils": "^1.0.0-beta.27",
    "babel-eslint": "^10.0.1",
    "babel-jest": "^24.1.0",
    "eslint": "^6.1.0",
    "eslint-plugin-nuxt": ">=0.4.2",
    "jest": "^24.1.0",
    "vue-jest": "^4.0.0-0"
  }
}
_EOF

Then I did the following:

# The custom registry
yarn config set registry "http://user:pass@custom-registry:8082/artifactory/api/npm/npm-remote/"

# I only did this because of some of the weird side effects i eventually see; but this doesn't solve
yarn config set "strict-ssl" false

# This fails to install
yarn install

Here is a screenshot:

Environment

• Node Version: 15.0.1
• Yarn v1 Version: 1.22.5
• OS and version: Debian v10.6

yarn config list
# outputs the below...
yarn config v1.22.5
info yarn config
{
  'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-commit-hooks': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'bin-links': true,
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'http://user:pass@custom-registry:8082/artifactory/api/npm/npm-remote/',
  'strict-ssl': false,
  'user-agent': 'yarn/1.22.5 npm/? node/v15.0.1 linux x64',
  version: '1.22.5'
}
info npm config
{
  version: '1.22.5'
}
Done in 0.07s.

If this isn't a bug, any advice would be awesome! 🙂

[stodge]

Install an nginx proxy (https) in front of Artifactory. Have it strip off SSL before proxying to Artifactory. 😄