I am currently experiencing a known problem with OpenSSL on Ubuntu 12.04. This problem is already fixed in Debian and I'm expecting it to be fixed soon in Ubuntu too. However, in the mean time I would need a workaround.
So is it possible to disable TLS1 in Node and have something equivalent to tls1 switch:
openssl s_client -tls1 -connect evernote.com:443
Here is a simple Node.js script to replicate the problem (on Ubuntu 12.04 w/ OpenSSL 1.0.1)
var https = require('https');
https.get({
host: 'www.evernote.com',
path: '/',
port: 443
}, function (res) {
console.log('Success!');
});
Judging from the documentation and the sources (1, 2), it should be possible to pass an options object to request that contains something like
options = { secureProtocol: 'TLSv1_method' }
in order to use TLSv1 (and just that) for this particular connection.
The default is to use OpenSSL's SSLv23_method, which means to use the highest TLS/SSL version that is possibly understood by both parties.
Although possible in OpenSSL itself, it is not possible to blacklist a particular TLS version (as in "use the highest version possible, but never this one") in node.js as far as I can see, the necessary flags to do so are not exported in node.js itself.
I ran into a bug where I couldn't connect to livefilestore.com over ssl via node. Here is what fixed it:
var https = require('https');
var HTTPS_AGENT = new https.Agent({
secureProtocol: 'SSLv3_method' // default is SSLv23_method
});
var req_opts = {...};
req_opts.agent = HTTPS_AGENT;
https.request(req_opts, function(res) { ... });
Interestingly, I was able to reproduce the error in curl with more recent versions of libopenssl, but my older boxes didn't reproduce the issue. I was able to reproduce on Ubuntu and Gentoo. In experimenting with curl, using the -2 always breaks (differently though, doesn't hang, just reports unsupported) and -3 never reproduced the problem. I don't know if that is related at all. Without specifying -3 it tries and fails to do an SSLv3 handshake. Strange.