Upgrading from got 9.2.2 to 9.3.0 causes SSL error

[Siilwyn]

Describe the bug

• Node.js version: 10.16.0
• OS & version: Ubuntu 19.04

I'm using got as a dependency at https://github.com/Siilwyn/cheers-receiver/ and I'm trying to upgrade got to its latest version, however from 9.3.0 and upward when I run npm test I get the following GotError:

write EPROTO 140440844965696:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:

Actual behavior

Error thrown.

Expected behavior

No breaking change, tests pass.

Code to reproduce

git clone https://github.com/Siilwyn/cheers-receiver.git
cd cheers-receiver
npm install got@3.0.0
npm test

Checklist

• I have read the documentation.
• I have tried my code with the latest version of Node.js and Got.

[sindresorhus]

Seems to be related to proxy, see:

• https://npm.community/t/ssl-routineswrong-version-number/6048
• https://forum.inkdrop.app/t/i-cant-log-in-ssl3-get-record-wrong-version/1020/11

[szmarczak]

@Siilwyn this is not possible as Got doesn't operate low level. It must be Node.

[Siilwyn]

@sindresorhus I am not using a proxy. Since the requests are to localhost I would also not expect that to influence the requests?

@szmarczak I had the same idea but since the issue is consistent on 9.3.0 using the same Node environment I don't understand where else it can come from. Do the steps to reproduce the issue not work on your machine?

Thanks for the fast responses!

[lselden]

I just got this error with version 9.6.0 . After searching I found this ticket - nodejs/node#16196 - I had explicitly set the "ciphers" and "minDHSize" options for the HTTPS Agent. After removing those values the requests worked. You could also try setting ecdhCurve: "auto" option, or if you don't mind weaker security you can set rejectUnauthorized to false

In short it's likely an underlying change in your dest server or some other parameter, rather than got.

[Siilwyn]

I don't see any way it can be a change in the destination server since I completely control the server and it is running locally, see the linked repository (the tests also run the server automatically). If you can think of a way that updating the got dependency changes how to server reacts please let me know!

Edit: as a sanity check I also ran this through the CI, same result. Here's the PR: Siilwyn/cheers-receiver#22

[Siilwyn]

Just got reminded of this issue again because of a dependency update service opening this PR to upgrade got, still the CI returns the same errors. CI jobs that upgrade other dependencies run fine in the same environment so this has to be an issue with got as far as I understand.

[szmarczak]

Your server doesn't support HTTPS and you have NOT specified the protocol, so by default it's https:. There was a bug in Got <= 9.3.0, if you passed an object the default would be http: instead of https:.

The documentation says clearly:

If no protocol is specified, it will default to https.

In the next upcoming release it will throw an error if you specify no protocol.

[Siilwyn]

That makes sense, specifying the protocol fixes the issue. Thanks for the reply!

This change should have been a major semver version bump because it changes the default option value, even though it was unwanted/invalid behavior. Please consider this the next time a similar issue is fixed.

[szmarczak]

This change should have been a major semver version bump because it changes the default option value, even though it was unwanted/invalid behavior. Please consider this the next time a similar issue is fixed.

Anyway, you could've saved us some time by knowing your code. If you don't use HTTPS, then how is it possible to see some SSL error? Investigate, don't wait until open source people review your code for you :P It took me <10 mins to get to the cause.

[tobiasmuehl]

Just ran into this on version 9.6.0 trying to hit an HTTP endpoint with a tunnel.httpsOverHttp() proxy.

got('http://88.xxx.xx.xx:4444', {
                agent: tunnel.httpsOverHttp({ proxy }),
                timeout: 5000
            })

GotError [RequestError]: write EPROTO 139725070318920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:

    at ClientRequest.<anonymous> (/application/node_modules/got/source/request-as-event-emitter.js:178:14)
    at Object.onceWrapper (events.js:428:26)
    at ClientRequest.emit (events.js:333:22)
    at ClientRequest.EventEmitter.emit (domain.js:485:12)
    at ClientRequest.origin.emit (/application/node_modules/@szmarczak/http-timer/source/index.js:37:11)
    at TLSSocket.socketErrorListener (_http_client.js:432:9)
    at TLSSocket.emit (events.js:321:20)
    at TLSSocket.EventEmitter.emit (domain.js:485:12)
    at errorOrDestroy (internal/streams/destroy.js:128:12)
    at onwriteError (_stream_writable.js:463:3) {
  name: 'RequestError',
  code: 'EPROTO',
  host: '88.xxx.xx.xx:4444',
  hostname: '88.xxx.xx.xx',
  method: 'GET',
  path: '/',
  socketPath: undefined,
  protocol: 'http:',
  url: 'http://88.xxx.xx.xx:4444/',
  gotOptions: {
    path: '/',
    protocol: 'http:',
    slashes: true,
    auth: null,
    host: '88.xxx.xx.xx:4444',
    port: '4444',
    hostname: '88.xxx.xx.xx',
    hash: null,
    search: null,
    query: null,
    pathname: '/',
    href: 'http://88.xxx.xx.xx:4444/',
    retry: {
      retries: [Function (anonymous)],
      methods: [Set],
      statusCodes: [Set],
      errorCodes: [Set],
      maxRetryAfter: 5000
    },
    headers: {
      'user-agent': 'got/9.6.0 (https://github.com/sindresorhus/got)',
      'accept-encoding': 'gzip, deflate'
    },
    hooks: {
      beforeRequest: [],
      beforeRedirect: [],

yarn list v1.16.0
├─ @sindresorhus/is@0.14.0
├─ @szmarczak/http-timer@1.1.2
│  └─ defer-to-connect@^1.0.1
├─ @types/got@9.6.0
│  ├─ @types/node@*
│  └─ @types/tough-cookie@*
├─ @types/node@13.1.4
├─ @types/tough-cookie@2.3.6
├─ @types/tunnel@0.0.1
│  └─ @types/node@*
├─ cacheable-request@6.1.0
│  ├─ clone-response@^1.0.2
│  ├─ get-stream@^5.1.0
│  ├─ get-stream@5.1.0
│  │  └─ pump@^3.0.0
│  ├─ http-cache-semantics@^4.0.0
│  ├─ keyv@^3.0.0
│  ├─ lowercase-keys@^2.0.0
│  ├─ lowercase-keys@2.0.0
│  ├─ normalize-url@^4.1.0
│  └─ responselike@^1.0.2
├─ clone-response@1.0.2
│  └─ mimic-response@^1.0.0
├─ decompress-response@3.3.0
│  └─ mimic-response@^1.0.0
├─ defer-to-connect@1.1.1
├─ dns-packet@5.2.1
│  └─ ip@^1.1.5
├─ dns-socket@4.2.0
│  └─ dns-packet@^5.1.2
├─ duplexer3@0.1.4
├─ end-of-stream@1.4.4
│  └─ once@^1.4.0
├─ get-stream@4.1.0
│  └─ pump@^3.0.0
├─ got@9.6.0
│  ├─ @sindresorhus/is@^0.14.0
│  ├─ @szmarczak/http-timer@^1.1.2
│  ├─ cacheable-request@^6.0.0
│  ├─ decompress-response@^3.3.0
│  ├─ duplexer3@^0.1.4
│  ├─ get-stream@^4.1.0
│  ├─ lowercase-keys@^1.0.1
│  ├─ mimic-response@^1.0.1
│  ├─ p-cancelable@^1.0.0
│  ├─ to-readable-stream@^1.0.0
│  └─ url-parse-lax@^3.0.0
├─ http-cache-semantics@4.0.3
├─ ip-regex@4.1.0
├─ ip@1.1.5
├─ is-ip@3.1.0
│  └─ ip-regex@^4.0.0
├─ json-buffer@3.0.0
├─ keyv@3.1.0
│  └─ json-buffer@3.0.0
├─ lowercase-keys@1.0.1
├─ mimic-response@1.0.1
├─ normalize-url@4.5.0
├─ once@1.4.0
│  └─ wrappy@1
├─ p-cancelable@1.1.0
├─ prepend-http@2.0.0
├─ public-ip@4.0.0
│  ├─ dns-socket@^4.2.0
│  ├─ got@^9.6.0
│  └─ is-ip@^3.1.0
├─ pump@3.0.0
│  ├─ end-of-stream@^1.1.0
│  └─ once@^1.3.1
├─ responselike@1.0.2
│  └─ lowercase-keys@^1.0.0
├─ sleep-promise@8.0.1
├─ to-readable-stream@1.0.0
├─ tunnel@0.0.6
├─ url-parse-lax@3.0.0
│  └─ prepend-http@^2.0.0
└─ wrappy@1.0.2

Changing the proxy to httpOverHttp fixes it.

[christian-bromann]

@tobiasmuehl did you find the root cause of that issue?

[tobiasmuehl]

@christian-bromann

Changing the proxy to httpOverHttp fixes it.

[future-mine]

write EPROTO 22776:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:c:544:SSL alert number 112

[future-mine]

I am getting this error.
Would you help me with how to solve this?