undici: Can't Ignore SSL Error ERR_SSL_DH_KEY_TOO_SMALL

I’m still having some hard times reproducing, most likely might be doing it wrong; though, an openssl.cnf example for a customized behaviour should follow a similar format:

nodejs_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv2
CipherString = DEFAULT:@SECLEVEL=2

And should be passed down to node using its either flag or the environment variable OPENSSL_CONFIG. e.g. flag node --openssl-config /path/to/config script.js

or through env var OPENSSL_CONF=/path/to/config node script.js

Found the documentation ^^. For those landing on this issue, it’s located here: https://undici.nodejs.org/#/docs/api/Client?id=parameter-connectoptions with a link to this documentation: https://nodejs.org/api/tls.html#tls_tls_connect_options_callback

I confirm this is working fine 🤩 Thank you for your time ! 😃

The solution working for my case:

const { Agent, setGlobalDispatcher, fetch } = await import('undici');
setGlobalDispatcher(new Agent({ connect: { ciphers: 'DEFAULT:@SECLEVEL=1' } }))

await fetch('https://www.aerocontact.com/entreprise-aeronautique/societe-latecoere-1128/offres-emploi-aeronautique?')

You can do it by passing the cipher property to the Agent under the connect scope, e.g.

setGlobalDispatcher(
  new Agent({
    allowH2: true,
    connect: {
      rejectUnauthorized: false,
      ciphers: 'DEFAULT:@SECLEVEL=2',
    }
  })
)

That should do the work 👍

ah, ok sorry, now I got you 👍 And no, it doesn’t work like that; the rejectUnauthorized is meant for CAs, as it will mandate whether or not reject requests whose certificate has a valid CA (avoiding self-signed or similar)

Nice, thanks! I was able to reproduce it; Now, lowering the sec level to 1 did the trick for me; did you try it already?

nodejs_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

Reference

@metcoder95 i closed this issue a bit too fast. I succeed to reproduce the bug with previous openssl version. Here is how to proceed :

This openssl.cnf file

nodejs_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=2

Then node --openssl-config ./openssl.cnf and execute

const { Agent, setGlobalDispatcher, fetch } = await import('undici');
setGlobalDispatcher(new Agent({ connect: { rejectUnauthorized: false, } }))

await fetch('https://www.aerocontact.com/entreprise-aeronautique/societe-latecoere-1128/offres-emploi-aeronautique?')

This will throw ERR_SSL_DH_KEY_TOO_SMALL.

PS : If you get UND_ERR_CONNECT_TIMEOUT error, just run the fetch again (this website is really slow)

Hi @metcoder95 sry for wrong issue report. I tried with your openssl.cnf format and it’s working fine. I bet i miss-unerstood the tutorials about how to write this file :face_in_clouds: