Error 525 (SSL handshake failed) using Node.js 8.9.1 and socket.io


#1

This is the code I’m using in Node.js:

var https = require('https');
var express = require('express');
var app = express();
var fs = require('fs');
var options = {
    cert: fs.readFileSync('ssl_certs/cert.pem'),
    key: fs.readFileSync('ssl_certs/privkey.pem'),
};
var server = https.createServer(options, app);
var io = require('socket.io')(server);
var port = 2087;

server.listen(port, "0.0.0.0", function() {
    console.log('Listening on port *:' + port + '.');
});

io.on('connection', function(socket) {
    console.log('connected...')
});

This works fine in Node.js 6.11.2 but in Node.js 8.9.1 I get error 525. I’ve tested both versions multiple times and it always works in 6.11.2

Is anyone else having this issue?

How can I fix this?


#2

Have you reviewed the materials outlined in this article? They may be helpful.


#3

I have looked up that article, however it doesn’t help with the problem I’m having.

SSL works perfectly fine if I’m using an older version of Node.js (6.11.2), so I don’t understand why it doesn’t work when a newer version of Node.js is being used.

It’s not like I’m receiving any errors from Node.js, it’s just CloudFlare showing Error 525.

So I’m just confused why it’s not working.

Am I doing something wrong?

Can anyone try to recreate this using the same code and see if they’re also having this issue? My SSL setting is set to Full (strict) if that matters.


#4

Can you run curl -Ivk --resolve yourhost:443:ip.add.ress https://yourhost with both bits of code and post the results (filtering out the origin IP and any other data you don’t want to post)?

This should provide some basic info about what your origin is presenting in terms of an SSL cert under both code scenarios.

Clearly there is some difference in how the cert is being generated/presented between the two node.js versions in use.


#5

Node.js v6.11.2:

* Added minnit.chat:2083:<server ip here> to DNS cache
* Rebuilt URL to: https://minnit.chat/
*   Trying 2400:cb00:2048:1::6818:1c20...
* Connected to minnit.chat (2400:cb00:2048:1::6818:1c20) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: ssl389535.cloudflaressl.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: EC
*        certificate version: #3
*        subject: OU=Domain Control Validated,OU=PositiveSSL Multi-Domain,CN=ssl389535.cloudflaressl.com
*        start date: Mon, 23 Oct 2017 00:00:00 GMT
*        expire date: Tue, 01 May 2018 23:59:59 GMT
*        issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO ECC Domain Validation Secure Server CA 2
*        compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD / HTTP/1.1
> Host: minnit.chat
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 14 Nov 2017 20:27:11 GMT
Date: Tue, 14 Nov 2017 20:27:11 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Set-Cookie: __cfduid=d5b0f0e5c9de3a8121a643ca6a29d46f31510691231; expires=Wed, 14-Nov-18 20:27:11 GMT; path=/; domain=.minnit.chat; HttpOnly; Secure
Set-Cookie: __cfduid=d5b0f0e5c9de3a8121a643ca6a29d46f31510691231; expires=Wed, 14-Nov-18 20:27:11 GMT; path=/; domain=.minnit.chat; HttpOnly; Secure
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Set-Cookie: minnitcsrf=53cb4805113c7bcd21895e31ec4b00ca2fa3995bc39fc8c9d6; expires=Sun, 19-Nov-2017 00:27:11 GMT; Max-Age=360000; path=/; HttpOnly
Set-Cookie: minnitcsrf=53cb4805113c7bcd21895e31ec4b00ca2fa3995bc39fc8c9d6; expires=Sun, 19-Nov-2017 00:27:11 GMT; Max-Age=360000; path=/; HttpOnly
< Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:27:11 GMT; Max-Age=604800
Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:27:11 GMT; Max-Age=604800
< Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:27:11 GMT; Max-Age=604800
Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:27:11 GMT; Max-Age=604800
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Server: cloudflare-nginx
Server: cloudflare-nginx
< CF-RAY: 3bdcb5c5ef5b9a04-EWR
CF-RAY: 3bdcb5c5ef5b9a04-EWR

<
* Connection #0 to host minnit.chat left intact

Node.js v8.9.1:

* Added minnit.chat:2083:<server ip here> to DNS cache
* Rebuilt URL to: https://minnit.chat/
*   Trying 2400:cb00:2048:1::6818:1c20...
* Connected to minnit.chat (2400:cb00:2048:1::6818:1c20) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: ssl389535.cloudflaressl.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: EC
*        certificate version: #3
*        subject: OU=Domain Control Validated,OU=PositiveSSL Multi-Domain,CN=ssl389535.cloudflaressl.com
*        start date: Mon, 23 Oct 2017 00:00:00 GMT
*        expire date: Tue, 01 May 2018 23:59:59 GMT
*        issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO ECC Domain Validation Secure Server CA 2
*        compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD / HTTP/1.1
> Host: minnit.chat
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 14 Nov 2017 20:28:45 GMT
Date: Tue, 14 Nov 2017 20:28:45 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Set-Cookie: __cfduid=da1a516dd68a855e097527c8d71445ca11510691325; expires=Wed, 14-Nov-18 20:28:45 GMT; path=/; domain=.minnit.chat; HttpOnly; Secure
Set-Cookie: __cfduid=da1a516dd68a855e097527c8d71445ca11510691325; expires=Wed, 14-Nov-18 20:28:45 GMT; path=/; domain=.minnit.chat; HttpOnly; Secure
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Set-Cookie: minnitcsrf=78ffc6563f4cc8b7b35a78ff85ba69eef5321fb2b426ff0636; expires=Sun, 19-Nov-2017 00:28:45 GMT; Max-Age=360000; path=/; HttpOnly
Set-Cookie: minnitcsrf=78ffc6563f4cc8b7b35a78ff85ba69eef5321fb2b426ff0636; expires=Sun, 19-Nov-2017 00:28:45 GMT; Max-Age=360000; path=/; HttpOnly
< Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:28:45 GMT; Max-Age=604800
Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:28:45 GMT; Max-Age=604800
< Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:28:45 GMT; Max-Age=604800
Set-Cookie: mref=direct; expires=Tue, 21-Nov-2017 20:28:45 GMT; Max-Age=604800
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Server: cloudflare-nginx
Server: cloudflare-nginx
< CF-RAY: 3bdcb8121e5621ce-EWR
CF-RAY: 3bdcb8121e5621ce-EWR

<
* Connection #0 to host minnit.chat left intact

Hope this helps.


#6

Ah my bad. Can you rerun the same test(s) but substitute your true origin IP address for the Cloudflare IP address. In the examples above that you provided you can see we (Cloudflare) are presenting the same SSL cert on our edge for both. My assumption is that the origin server is showing different ones for some reason and trying to see what cert it is presenting to help figure out if there may be an issue with it.


#7

Or actually you probably did use the origin IP but I screwed up on the host name. I think you’ll need to use https://minnit.chat:2083 as the port as it appears it’s attempting over 443 with the version I gave you even though you properly changed the port in your curl string. I think curl requires the explicit port when it’s not the standard https.


#8

Yep, I think that was it.

Here’s the results with the proper command being run:

Node.js v6.11.2:

* Added minnit.chat:2083:<origin ip here> to DNS cache
* Rebuilt URL to: https://minnit.chat:2083/
* Hostname minnit.chat was found in DNS cache
*   Trying <origin ip here>...
* Connected to minnit.chat (<origin ip here>) port 2083 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: CloudFlare Origin Certificate (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: O=CloudFlare\, Inc.,OU=CloudFlare Origin CA,CN=CloudFlare Origin Certificate
*        start date: Wed, 05 Jul 2017 04:46:00 GMT
*        expire date: Thu, 01 Jul 2032 04:46:00 GMT
*        issuer: C=US,O=CloudFlare\, Inc.,OU=CloudFlare Origin SSL Certificate Authority,L=San Francisco,ST=California
*        compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD / HTTP/1.1
> Host: minnit.chat:2083
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< X-Powered-By: Express
X-Powered-By: Express
< Content-Security-Policy: default-src 'self'
Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 140
Content-Length: 140
< Date: Tue, 14 Nov 2017 20:51:00 GMT
Date: Tue, 14 Nov 2017 20:51:00 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host minnit.chat left intact

Node.js v8.9.1:

* Added minnit.chat:2083:<origin ip here> to DNS cache
* Rebuilt URL to: https://minnit.chat:2083/
* Hostname minnit.chat was found in DNS cache
*   Trying <origin ip here>...
* Connected to minnit.chat (<origin ip here>) port 2083 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: CloudFlare Origin Certificate (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: O=CloudFlare\, Inc.,OU=CloudFlare Origin CA,CN=CloudFlare Origin Certificate
*        start date: Wed, 05 Jul 2017 04:46:00 GMT
*        expire date: Thu, 01 Jul 2032 04:46:00 GMT
*        issuer: C=US,O=CloudFlare\, Inc.,OU=CloudFlare Origin SSL Certificate Authority,L=San Francisco,ST=California
*        compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD / HTTP/1.1
> Host: minnit.chat:2083
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< X-Powered-By: Express
X-Powered-By: Express
< Content-Security-Policy: default-src 'self'
Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 140
Content-Length: 140
< Date: Tue, 14 Nov 2017 20:51:34 GMT
Date: Tue, 14 Nov 2017 20:51:34 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host minnit.chat left intact

Edit:

I retried it on Node.js v8.9.1 several times and got the handshake error:

* Added minnit.chat:2083:<origin IP here> to DNS cache
* Rebuilt URL to: https://minnit.chat:2083/
* Hostname minnit.chat was found in DNS cache
*   Trying <origin IP here>...
* Connected to minnit.chat (<origin IP here>) port 2083 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
curl: (35) gnutls_handshake() failed: Handshake failed

#9

Well… that is sub-optimal. On the plus side, Cloudflare as a proxy probably isn’t the source. On the minus side I have no freaking idea. On the off chance it could be the Cloudflare certificate itself, do you have the ability to change your SSL setting to Full and try with a Let’s encrypt or self signed certificate to see if the issue persists?


#10

Tried it with a Let’s encrypt cert and I got the same issue:

Node.js v6.11.2:

* Added minnit.chat:2083:<origin IP here> to DNS cache
* Rebuilt URL to: https://minnit.chat:2083/
* Hostname minnit.chat was found in DNS cache
*   Trying <origin IP here>...
* Connected to minnit.chat (<origin IP here>) port 2083 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: minnit.chat (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=minnit.chat
*        start date: Tue, 14 Nov 2017 20:58:20 GMT
*        expire date: Mon, 12 Feb 2018 20:58:20 GMT
*        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*        compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD / HTTP/1.1
> Host: minnit.chat:2083
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< X-Powered-By: Express
X-Powered-By: Express
< Content-Security-Policy: default-src 'self'
Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 140
Content-Length: 140
< Date: Tue, 14 Nov 2017 22:06:33 GMT
Date: Tue, 14 Nov 2017 22:06:33 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host minnit.chat left intact

Node.js v8.9.1:

* Added minnit.chat:2083:<origin IP here> to DNS cache
* Rebuilt URL to: https://minnit.chat:2083/
* Hostname minnit.chat was found in DNS cache
*   Trying <origin IP here>...
* Connected to minnit.chat (<origin IP here>) port 2083 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
curl: (35) gnutls_handshake() failed: Handshake failed

Any more ideas? Does this suggest an issue with Node.js 8 or is it something on my end…?


#11

Interesting reading and checking all the handshakes it looks like something is going on with the 8.9.1 version; not an expert but from all your test it looks like this article collaborates your finding on using a version 6.11.2 until a solution is found. Question from an observation point — if the connection is less restricted like say http will it work? or will testing the code outside cloudflare environment aid in isolating the issue wiht 6.11.2 and 8.9.1 just a pointer the masters to help in this partial problem since downgrading is the propose solution even thou whats goodies 8.9.1 holds that you need to use it. Hope you find the source I will suggest isolating the environment just in case code 8.9.1 dont’ like rerouting…

Reference: