Cannot communicate to web app powered by Node 4.6 from Windows Server 2003 using HTTPS

[asuchac]

• Version: 4.6.0
• Platform: Linux 3.13.0-85-generic test: fix test-fs-symlink-dir-junction-relative #129-Ubuntu SMP Thu Mar 17 20:50:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

I have web client running on Windows Server 2003 communicating with web app powered by NodeJS - this app runs on Ubuntu 14.04.5 LTS server.

The protocol is HTTPS. The Windows web client uses Microsoft's SSL components.

When I updated the Node from ver 4.4.0 to 4.6.0, I couldn't connect to the web app anymore. This applies only to the web clients and browsers using Microsoft's SSL components, e.g. Internet Explorer.

When I tried to reach the web app from Firefox, all was good. Also, there was no problem to connect to my web app from more recent Windows, e.g. Win 8.

I have workaround solution put in place - I rolled back to Node 4.4.0,

I just wanted to alert NodeJS team of this issue. Can't say if it's Node issue or Windows Server 2003 issue - probably the later.

[targos]

cc @nodejs/crypto

[mscdex]

Did you try other versions in between (4.4.0<n<4.5.0)? There was this for example that happened in node v4.4.1 that may affect things for you. Another example of OpenSSL/TLS changes is the OpenSSL upgrade in node v4.6.0.

It does sound like there was some change that increased security and the SSL implementation in Server 2003/XP is not updated to support those stricter, higher security configurations.

[asuchac]

No, I haven't try other versions - just 4.4.0 (OK) and 4.6.0 (no good). I agree that it seems that SSL components on Windows Server 2003 doesn't seem to support stricter security.

I don't know what exact key of OpenSSL (or something else) on Node is causing it. I don't have enough knowledge, time and motivation (I have workaround) to find out.

It would be great if there was a way to nudge Microsoft to do something about it, in fact I posted the issue here:

https://social.msdn.microsoft.com/Forums/en-US/94ddbaf8-a5e3-4944-a4c6-ea167664ff16/cannot-communicate-to-web-app-powered-by-node-46-from-windows-server-2003-using-https?forum=winserver2008appcompatabilityandcertification

[mscdex]

I doubt they will do anything about it, extended support for Server 2003 already ended on 7/14/2015.

[asuchac]

This is an issue where there is hard to do anything. Node must go the way of stricter security, there is no problem with newer version of Windows and Microsoft probably wouldn't do anything about Windows Server 2003 (probably this affects XP as well - didn't test).

Except I can imagine that there are businesses who still run Windows Server 2003 and users who run XP. Well, at least now they would know that somebody else has the same problem as well.

[shigeki]

DES3 ciphers were dropped by default due to SWEET32 attack in the last openssl upgrade so that only AES is available for symmetric ciphers in the current Node.
You need to add DES3 cipher suites explicitly in the options or apply a HotFix to Win Server 2003 to support AES as indicated in https://support.microsoft.com/en-us/kb/948963.

[asuchac]

The solution suggested by shigeki fixed the problem - thank you for excellent advice.