[BUG] npm fails to install package npm ERR! errno EPROTO

[WhaleyBoomer]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

npm fails to install any packages and gives following errors:
14:08:30:276 ====Executing command 'npm install react-dom --save-prod '====
14:08:30:276
14:09:43:819 npm ERR! code EPROTO
14:09:43:821 npm ERR! syscall write
14:09:43:824 npm ERR! errno EPROTO
14:09:43:826 npm ERR! request to https://registry.npmjs.org/react-dom failed, reason: write EPROTO C84A0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:922:
14:09:43:827 npm ERR!
14:09:43:828 npm ERR! A complete log of this run can be found in:
14:09:43:829 npm ERR! C:\Users\Whaley\AppData\Local\npm-cache_logs\2023-01-19T20_08_32_441Z-debug-0.log
14:09:43:843
14:09:43:843 ====npm command completed with exit code 1====
14:09:43:843

Expected Behavior

Expect packages to install

Steps To Reproduce

1. Visual Studio 2022 or with Command Prompt
2. With this config...
3. Run '...'
4. 14:08:30:276 ====Executing command 'npm install react-dom --save-prod '====
   14:08:30:276
   14:09:43:819 npm ERR! code EPROTO
   14:09:43:821 npm ERR! syscall write
   14:09:43:824 npm ERR! errno EPROTO
   14:09:43:826 npm ERR! request to https://registry.npmjs.org/react-dom failed, reason: write EPROTO C84A0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:922:
   14:09:43:827 npm ERR!
   14:09:43:828 npm ERR! A complete log of this run can be found in:
   14:09:43:829 npm ERR! C:\Users\Whaley\AppData\Local\npm-cache_logs\2023-01-19T20_08_32_441Z-debug-0.log
   14:09:43:843
   14:09:43:843 ====npm command completed with exit code 1====
   14:09:43:843

Environment

• npm: 8.19.2
• Node.js:18.12.1
• OS Name:Windows 10 21H1
• System Model Name:Dell Latitude 5490
• npm config:

; copy and paste output from `npm config ls` here
C:\Users\Whaley\source\repos\ReactExample\ReactExample>npm config ls
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\Whaley\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v18.12.1
; npm local prefix = C:\Users\Whaley\source\repos\ReactExample\ReactExample
; npm version = 8.19.2
; cwd = C:\Users\Whaley\source\repos\ReactExample\ReactExample
; HOME = C:\Users\Whaley
; Run `npm config ls -l` to show all defaults.

[fritzy]

Likely your connecting to a server or through a proxy of some sort that uses legacy SSL options. This is a network or registry configuration issue.

[Stargator]

@fritzy, what would be the workaround or solution for this? Because I agree it's a network issue for me and the network won't change anything because they see a security issue in how NPM is pulling down packages.

This is from the my network IT folks:

This means, when executing the 'npm install' command to pull source files to your project will fail. The break and inspect of the network traffic causes the security in Node.JS to error. It is because of the traffic is being re-signed.

This re-signing of the packages is what is causing a security issue for us. And they don't see a workaround on their end.

[ljharb]

Re-signing traffic like that is a security issue; they’re explicitly being a “man in the middle”.

[lucas-labs]

Is there any workaround?
We are migrating from node v16 to lts and this error is being a nightmare. I understand openssl provides SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION to "bypass" this, but I guess there's not way to tell npm to switch that option on.

I understand this is a network issue, and I agree the solution should be not to re-sign cetificates, but that's something many companies do for some reason (I'm not a network engineer so I can't think of any valid reason, but maybe there's one).

Shouldn't at least exists a last resource "allow unsafe renegotiation at your own risk" option? Right now, the only workaround is to not use node > v18

[Stargator]

I agree with @lucas-labs there are organizations that do not trust the public NPM registry to contain safe non-malicious software. So it's only naturally that they want to scan the contents for any threats.

[ljharb]

fwiw the only reasonable way to do this is an internal registry, and NOT to hijack SSL traffic.

[camAtGitHub]

No love for the people behind a corporate firewall and intercepting proxy? Fear not!
This is from the view point of getting Neovim working which is using node under the hood (and all the problems were node related). You might have to perform either the first or both steps depending on your situation.

• Create a file called openssl.cnf with the contents:

# File: ~/.npm/openssl.cnf
nodejs_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

• Next you need the CA cert from the intercepting proxy, one way to get it via openssl s_client -connect registry.npmjs.org:443 --showcerts and grab the bottom most certificate block.
• Save that somewhere eg. ~/.npm/ca.pem
  • example: cat ~/.npm/ca.pem

-----BEGIN CERTIFICATE-----
ICAgICAgQSBncm91cCBvZiB3b3JrZXJzLCBib3VuZCBieSBhIGNvcnBvcmF0ZSB3YWxsLAogICAg
ICBUaGVpciBvbmxpbmUgZnJlZWRvbSBoYWx0ZWQgYnkgYSBmaXJld2FsbCdzIGNhbGwuCiAgICAg
IEJ1dCB0aGVuIGFycml2ZWQgYSBtYW4sIG15c3RlcmlvdXMgYW5kIHRydWUsCiAgICAgIFRvIGd1
aWRlIHRoZW0gdG93YXJkcyBhIGJyZWFrdGhyb3VnaC4KCiAgICAgIEhlIGxlZCB0aGVtIHRocm91
Z2ggdGhlIHByb3h5LCB3aXRoIHNraWxsIGFuZCBjaGFybSwKICAgICAgQW5kIHRoZWlyIGhlYXJ0
cyBzYW5nIGFzIHRoZXkgc2F3IGhpcyBmYWNlLCB3YXJtLgogICAgICBGb3IgaGUgd2FzIHRoZWly
IHNhdmlvciwgb24gdGhhdCBmYXRlZnVsIGRheSwKICAgICAgQSBoZXJvIHRoZXknZCByZW1lbWJl
ciwgY29tZSB3aGF0IG1heS4KCg==
-----END CERTIFICATE-----

• and then finally launch node / nvim with the following ENV VARS. NODE_EXTRA_CA_CERTS=~/.npm/ca.pem OPENSSL_CONF=~/.npm/openssl.cnf
  • eg. NODE_EXTRA_CA_CERTS=~/.npm/ca.pem OPENSSL_CONF=~/.npm/openssl.cnf node
  • additionally you may have to set/export your http_proxy and https_proxy vars if you haven't already - but you can google that.

[giuliohome]

Is there a way to set

Options = UnsafeLegacyRenegotiation

(or the newer unsafe server connect)
so that it takes effect on npm i ?
It should be a matter of configuring the openssl that npm install is using, right?

[giuliohome]

Maybe this is relevant to make the above said configuration effective:

With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named nodejs_conf.

🤨🧐🤔

It should be

nodejs_conf = openssl_init

etc... as @camAtGitHub wrote: I'll try asap.

[giuliohome]

Nope :-( I still get an error

localhost:~/node/test# npm i node-fetch  --loglevel verbose
npm verb cli /usr/bin/node /usr/bin/npm
npm info using npm@10.4.0
npm info using node@v20.11.1
npm verb title npm i node-fetch
npm verb argv "i" "node-fetch" "--loglevel" "verbose"
npm verb logfile logs-max:10 dir:/root/.npm/_logs/2024-02-29T08_04_10_081Z-
npm verb logfile /root/.npm/_logs/2024-02-29T08_04_10_081Z-debug-0.log
npm verb type system
npm verb stack FetchError: request to https://registry.npmjs.org/node-fetch failed, reason: A86959FFCD7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:892:
npm verb stack
npm verb stack     at ClientRequest.<anonymous> (/usr/lib/node_modules/npm/node_modules/minipass-fetch/lib/index.js:130:14)
npm verb stack     at ClientRequest.emit (node:events:518:28)
npm verb stack     at _destroy (node:_http_client:875:13)
npm verb stack     at onSocketNT (node:_http_client:895:5)
npm verb stack     at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
npm verb cwd /root/node/test
npm verb Linux 6.6.14-0-lts
npm verb node v20.11.1
npm verb npm  v10.4.0
npm ERR! code ERR_SSL_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
npm ERR! errno ERR_SSL_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
npm ERR! request to https://registry.npmjs.org/node-fetch failed, reason: A86959FFCD7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:892:
npm ERR!
npm verb exit 1
npm verb unfinished npm timer reify 1709193850421
npm verb unfinished npm timer reify:loadTrees 1709193850426
npm verb code 1

npm ERR! A complete log of this run can be found in: /root/.npm/_logs/2024-02-29T08_04_10_081Z-debug-0.log

I see that this is not a pure node issue, because

node --openssl-config ~/.npm/openssl.cnf https.js

does work while

node  https.js

throws hence the node started from npm is not getting the right config for some reason...

🎉 OK, finally solved ❤️ , I had a typo in my export OPENSSL_CONF=~/.npm/openssl.cnf 🙌

I confirm it now works with

[system_default_sect]
# Options = UnsafeLegacyRenegotiation
Options = UnsafeLegacyServerConnect