Node-fetch: Disable SSL verification

Question

I have the following code, which is run from a express server:

import fetch from 'node-fetch';

let formBody = [];

const dataLogin = {
      'username': 'myUser',
      'password': 'myPassword'
};

for (let p in dataLogin) {
   let encodedKey = encodeURIComponent(p);
   let encodedValue = encodeURIComponent(dataLogin[p]);
   formBody.push(encodedKey + "=" + encodedValue);
 }

 formBody = formBody.join("&");   

 const url = 'https://external-login-api.com';
 return fetch(url, {
          method: 'POST',
          headers: {
              'Content-Type': 'application/x-www-form-urlencoded',
              'Content-Length': formBody.length         
  },     
  body: formBody
 });

When I run the code I get the following error, despite being able to run the request in Postman with no problems.

{"message":"request to https://external-login-api.com failed, reason: write EPROTO 7316:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:openssl\\ssl\\statem\\statem_clnt.c:1472:\\n","type":"system","errno":"EPROTO","code":"EPROTO"}

How do I disable SSL verification for this request?

Answer 1

The other way to do is to set your own agent to the fetch call.

const fetch = require('node-fetch');
const https = require('https');

const httpsAgent = new https.Agent({
      rejectUnauthorized: false,
    });

const response = await fetch(url, {
      method: 'POST',
      headers: headers,
      body: body,
      agent: httpsAgent,
    });

Answer 2

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Will ensure you ignore any rejected TLS certificates, or you can set this as an environment variable when running your node service. However this will likely not help, and is probably a bad idea. The SSL error is not because the certificate is invalid (such as a self signed certificate) but instead because of a weak Diffie-Hellman key in the SSL/TLS configuration.

If this a service you're hosting you should look at correcting and improving your TLS/SSL cyphers. See this answer for more information .

The important part is:

You should use 2048-bit Diffie-Hellman groups or larger. You should not be using 512-bit or 1024-bit Diffie-Hellman groups.

If this is a third party service, you should consider contacting them or using a different service as they are leaving themselves open to the Logjam attack which is also discussed in the answer linked above.

Answer 3

If you want to disable SSL check while using AXIOS library, add agent to its call in this way

// At instance level
const instance = axios.create({
  httpsAgent: new https.Agent({  
    rejectUnauthorized: false
  })
});

instance.get('https://something.com/foo');

// At request level
 const agent = new https.Agent({  
 rejectUnauthorized: false
});

axios.get('https://something.com/foo', { httpsAgent: agent });