https.get via proxy generates SSL3_GET_RECORD wrong version number error

[foiseworth]

I get the following error when attempting to download a zip file from github using https.request via my company proxy:

An error occured whilst trying to download Casper.JS 140735122252160:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../deps/openssl/openssl/ssl/s3_pkt.c:337:

I'm attempting to edit the grunt-casperjs install script to allow myself and my colleagues to install behind our proxy. The script fetches Casper from Github and downloads it. Originally the script didn't support a proxy so I copied the grunt-phantomjs proxy support. Phantomjs is downloaded via a http connection and this works fine via our proxy (if I change it to a https URL it fails with the same error).

I have attempted the following:

• I added https.globalAgent.options.secureProtocol = 'SSLv3_method'; as previously an unknown protocol error was displayed.
• Using curl, the request completes fine
• Updated OpenSSL and Node
• I added https.globalAgent.options.secureOptions = 'SSL_OP_NO_TLSv1'; but this results in node returning with no message after the request is made

    var https = require('https');
    https.globalAgent.options.secureProtocol = 'SSLv3_method'

    var url = require('url');
    var downloadUrl = 'https://codeload.github.com/n1k0/casperjs/zip/1.0.3'
    var proxy = 'https://username:password@IP:port';

    var options = url.parse(proxy);
    options.path = downloadUrl;
    options.headers = { Host: url.parse(downloadUrl).host }
    // If going through proxy, spoof the User-Agent, since may commercial proxies block blank or unknown agents in headers
    options.headers['User-Agent'] = 'curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5'
    // Turn basic authorization into proxy-authorization.
    options.headers['Proxy-Authorization'] = 'Basic ' + new Buffer(options.auth).toString('base64');
    delete options.auth;

    var request = https.get(options, function(response) {
        console.log('response received');
    }).on('error', function(e) {
        console.log('An error occurred whilst trying to download Casper.JS ' + e.message);
    });

[indutny]

Thanks for filling this! May I ask you to redo your test case without any external (non-core) modules?

[indutny]

Also, do you know what software runs on that server?

[foiseworth]

Hi @indutny, I have reduced the test case as requested and edited my original post. The error I get is still the same.

In terms of what software the server uses, when I do a curl I get the following:

> curl -v -o /dev/null https://codeload.github.com/n1k0/casperjs/zip/1.0.3
* About to connect() to proxy my__proxy_IP port my__proxy_port (#0)
*   Trying my__proxy_IP...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* connected
* Connected to my__proxy_IP (my__proxy_IP) port my__proxy_port (#0)
* Establish HTTP proxy tunnel to codeload.github.com:443
* Proxy auth using Basic with user 'my_username'
> CONNECT codeload.github.com:443 HTTP/1.1
> Host: codeload.github.com:443
> Proxy-Authorization: Basic my_password_base64encoded
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection established
< 
* Proxy replied OK to CONNECT request
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using RC4-SHA

[indutny]

Actually, I meant your proxy. Sorry for wrong wording.

[foiseworth]

We're running Squid http://www.squid-cache.org/

[indutny]

@foiseworth hey man, sorry for a delay. Do you have resources to spawn a proxy with a public ip to simplify testing for us? If you wish to - please contact me privately ( fedor@indutny.com ).

[foiseworth]

NP @indutny - I'll see what I can do. I have found at least two other incidents of the same error and the same proxy though: yeoman/generator-generator#36 (comment) and npm/npm#1332

[indutny]

@foiseworth as another alternative you can try running tcpdump and send me it privately, so I could use wireshark on it. Please let me know if you need any help with this.

[tankbusta]

I'm seeing the same problem (node v0.10.24) while making calls to AWS SQS via HTTPS over Squid.

Originally we were getting

NetworkingError: 139755984586560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:766

..so I set the https.Agent to

agent.options.secureProtocol = 'TLSv1_method';

which gave me

140654019671872:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../deps/openssl/openssl/ssl/s3_pkt.c:337

Unfortunately I can't provide a tcpdump but I'll be more than willing to share the code if you can setup an AWS keypair with SQS.

[indutny]

Are you sure that your squid server supports https_port? http://www.squid-cache.org/Doc/config/https_port/ If yes - are you sure that you are connecting to it?

It seems that it fails just because you're connecting to the port that expects HTTP request.

[calidion]

@indutny
thanks you.
I encountered the same problem, and it turns out that i was trying to connect to the http server instead the https server,
where the port specified was wrong.