Request: Error: DEPTH_ZERO_SELF_SIGNED_CERT

Same problem here. Using node v0.10.1 and latest request version.

same issue here using v0.10.2

The same problem in v0.11.1-pre. I need to accept invalid certificates because I'm developing a security tool.

@client = tls.connect @port, @target, {rejectUnhauthorized : false}, =>
@client.write message
@client.setEncoding 'utf-8'

The code you need is:

request({ url : 'https://127.0.0.1', rejectUnhauthorized : false }, function...

Edit: I removed the lame comment that I made, cause, that's just lame of me....

rejectUnauthorized: false

rejectUnauthorized: false did not work for me. Instead, adding the following removed the error:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" // Avoids DEPTH_ZERO_SELF_SIGNED_CERT error for self-signed certs

I can verify that NODE_TLS_REJECT_UNAUTHORIZED=0 works for me, but rejectUnauthorized: false does not.
Using node v0.10.1

@dankohn & @cliffano +1 for your suggestions here.

@case NODE_TLS_REJECT_UNAUTHORIZED is only an escape hatch to revert to old behaviours (allowing invalid and self-signed certs) according to https://github.com/joyent/node/pull/4023 , so it's just a workaround for me to get self-signed cert working.
So it looks like rejectUnauthorized: false is not doing what it's supposed to be doing.

We know that, in many cases, {rejectUnauthorized:false} works and in some others it appears not to propagate to core. The question need to answer is "is there an edge case where request does not set this option properly or is core not observing the option properly in some edge cases?"

I need a fully reproducible test in order to answer that question.

Unfortunately I don't have a test case, but this might be helpful:

• the server I'm talking to requires SSLv3 for some reason (python code for reference; I was seeing the same error in Node)
• this is how I'm forcing SSLv3 (which I couldn't find a way to do in Request): https.globalAgent.options.secureProtocol = 'SSLv3_method';

Hey guys,

Thanks to everyone who works on the library. I was trying to use self-signed cert for some testing and get the same error. I've included details below. Let me know if you need anything else. I've tried all combinations of using strictSSL and rejectUnauthorized but it doesn't seem to work.

Node version: 0.10.10
OS: Windows 7 x64
OpenSSL: Win32 1.0.1e
Cert generated using:
openssl genrsa –out priv.pem 1024
openssl req -x509 -new -key priv.pem -days 3650 -out cert.crt

Code for creating server

var https = require('https');
var express = require('express');
var app = express();
var credentials = {
    key: fs.readFileSync(__dirname + '/priv.pem', 'utf8'),
    cert: fs.readFileSync(__dirname + '/cert.crt', 'utf8')
};
var server = https.createServer(credentials, app);
server.listen(3000);

Using request like so:

var request = require('request');
request.defaults({
    strictSSL: false, // allow us to use our self-signed cert for testing
    rejectUnauthorized: false
});
request('https://localhost:3000', function(err) {
    console.error(err); // outputs the zero_depth error
});

@dankohn worked for me

With [email protected] and nodejs v0.10.15 rejectUnauthorized: false still not work, I still have to use this hack:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"

Which is ugly, because I would like to check validity and accept self signed certificates.

Found the problem while writing a test but was unable to replicate.

Had an interesting occurrence of this problem. Set strictSSL: false, which worked on one box but not on another (rejectUnauthorized=false failed as well). @dankohn's suggestion worked.

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Works for restler as well.

I was able to get it to work using rejectUnauthorized: false (node v0.10.26)

i know is closed and merged
but maybe worth mentioning that:
some 3rd party libs still depend on request and use without rejectUnauthorized: false

Is this still an issue?

This is so old I'm closing, if it is actually still an issue just let me know and I'll re-open.

This is still an issue for me

node 0.10.31 / request: 2.42.0

screen shot: http://screencast.com/t/hcmHPBlxOHc

request.defaults(
  strictSSL: false # allow us to use our self-signed cert for testing
  rejectUnauthorized: false)

request "https://localhost:8000/index.html", (err, res, body) ->
  return console.error err if err # DEPTH_ZERO_SELF_SIGNED_CERT

I'm still having an issue with this too, v0.10.20

Using the process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; trick for now

@frankfuu do you think this 'trick' should be in documentation?

Yes, we could use some docs and tests for SSL issues like this and #811. Should include accepting all certificates and accepting only the desired certificates.

@syzer possibly? well at least i found it useful

Still an issue for me, v0.10.22.

@dankohn, @cliffano where did you put the "NODE_TLS_REJECT_UNAUTHORIZED" : "0" in?

This is my code (it doesn't work):
var soap = require('soap');
var url = 'https://link.to/my/url/file.wsdl';
var args = {Email: '[email protected]', Passwort: 'passwort123', deviceMac: '00-14-22-01-23-45'};
soap.createClient(url, {"NODE_TLS_REJECT_UNAUTHORIZED" : "0"}, function(err, client) {
client.myOperation(args, function(err, result) {
console.log(err, result);
});
});

Put it right at the top of the file:

// Avoids DEPTH_ZERO_SELF_SIGNED_CERT error for self-signed certs.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Dan Kohn mailto:[email protected]
tel:+1-415-233-1000

On Thu, Oct 9, 2014 at 11:41 AM, Thanh [email protected] wrote:

@dankohn https://github.com/dankohn, @cliffano
https://github.com/cliffano where did you put the
"NODE_TLS_REJECT_UNAUTHORIZED" : "0" in?

This is my code (it doesn't work):
var soap = require('soap');
var url = 'https://link.to/my/url/file.wsdl';
var args = {Email: '[email protected]', Passwort: 'passwort123', deviceMac:
'00-14-22-01-23-45'};
soap.createClient(url, {"NODE_TLS_REJECT_UNAUTHORIZED" : "0"},
function(err, client) {
client.myOperation(args, function(err, result) {
console.log(err, result);
});
});

—
Reply to this email directly or view it on GitHub
https://github.com/mikeal/request/issues/418#issuecomment-58528954.

@dankohn: I still get the same error message. My code looks like this now:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
var soap = require('soap');
var url = 'https://link.to/my/url/file.wsdl';
var args = {Email: '[email protected]', Passwort: 'passwort123', deviceMac: '00-14-22-01-23-45'};
soap.createClient(url, {rejectUnauthorized:false}, function(err, client) {
client.myOperation(args, function(err, result) {
console.log(err, result);
});
});

@apiton: Could you solve it already? I still got the same problem.

my URL doesn't start with "https://www." but "https://link." could it be that this is the problem?

@jksdua example was usual and I was able to reproduce the error.

To solve both @fourq and @jksdua problem you want to do this

var request = require('request');
var request = request.defaults({
  strictSSL: false,
  rejectUnauthorized: false
});

Or

var request = require('request').defaults({
  strictSSL: false,
  rejectUnauthorized: false
});

The defaults method will return a function.
So you need to assign the variable request to the function in order for the default options to work.

Also @frankfuu can you provide an example of how you're using request with the rejectUnauthorized option?

If you're still having problems I would like to get another test case.

@thadeuszlay I know you just asked for help with using:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Do you still need help with this?

Note version 2.45.0 of Request allows you to just set strictSSL to false, and then rejectUnauthorized becomes false as well.

However if you don't specify strictSSL to be false, rejectUnauthorized defaults to undefined.
I'm assuming thats the desired behavior.

Hi @seanstrom

I don't recall the example i made but it was similar to what @fourq had

request.defaults(
strictSSL: false
rejectUnauthorized: false)

I haven't had problems since using "the trick"

@frankfuu
Based on @fourq 's example, I came up with this solution above.
https://github.com/mikeal/request/issues/418#issuecomment-58959393

Can you take a look and see if that would work for you?

Note version 2.45.0 of Request allows you to just set strictSSL to false, and then rejectUnauthorized becomes false as well.

Is wfm where it failed before without rejectUnauthorized.

@andig my chat lingo is a little fuzzy so Im just confirming that you're saying:
Using strictSSL: false is working for you
Correct?

@andig my chat lingo is a little fuzzy so Im just confirming that you're saying:

@seanstrom please forgive the childish language.

Using strictSSL: false is working for you. Correct?

Correct. My previousy failing SSL connection that required rejectUnauthorized: false is now working with strictSSL: false only.

I'll be closing this issue
If this is still a problem for anyone I'll re-open it.
Let me know

still a issue here v10.0.32
when trying process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
i get:
_stream_readable.js:748
throw new Error('Cannot switch to old mode now.');

@webduvet can you give us a code sample?
That will help us debug this problem

@seanstrom sure, it was very simple sample from nodejs doc.

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
var tls = require('tls');
var fs = require('fs');
var options = {
  cert: fs.readFileSync('test-cert.pem'),
  strictSSL: false
};
var cleartextStream = tls.connect(8000, options, function() {
  console.log('client connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  process.stdin.pipe(cleartextStream);
  process.stdin.resume();
});

@seanstrom I'm still getting this error when trying to use self-signed certs.

Thing is, rejectUnauthorized: false turns off all verification, right? Because it works even if I don't provide a PEM or key or list of accepable certs. I need to provide a cert (or key) and have the request engine support actually check the cert list.

Yes, rejectUnauthorized: false or strictSSL: false are not ideal solutions because they turn off all certificate verification. It's possible to add your own CAs for self-signed or unrecognized certificates though. Have a look at our HTTPS tests for an example of how to do this: https://github.com/request/request/blob/master/tests/test-https.js

Thanks, Nylen. That test helped clear up what we were doing wrong. We were using self-signed certs, rather than first creating a self-signed CA and then using that CA to sign the server cert. That's what I thought we were doing, but we weren't.

For those who wish to understand a principle.

https://nodejs.org/dist/v0.12.9/docs/api/tls.html#tls_tls_connect_options_callback

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "1";
var tls = require('tls');
var fs = require('fs');
var constants = require('constants');
var util = require('util');

var options = {
    host: 'localhost',
    strictSSL: true,
    ca: [fs.readFileSync('trusted1.pem'), fs.readFileSync('trusted2.pem') ],
    rejectUnauthorized: true, // Trust to listed certificates only. Don't trust even google's certificates.
    secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
    secureProtocol: 'SSLv23_method',
    ciphers: 'ECDHE-RSA-AES128-SHA256'
};

var socket = tls.connect(3001, options, function() {
    console.log('client connected',
        socket.authorized ? 'authorized' : 'unauthorized',
        socket.encrypted ? 'encrypted' : 'unencrypted',
        '\nCipher: ' + util.inspect(socket.getCipher()),
        '\nCert Info: \n' + util.inspect(socket.getPeerCertificate(true)));
    //process.stdin.pipe(socket);
    //process.stdin.resume();
});

really it sound all your problems is your client system has no SSL certificate configuration
first configure your systems openSsl ands then add your request whether is get or post to process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; it would work inshaa Allah

Hi there,

I'm facing the similar issue but only in "POST" method while "GET" is working fine. Here are the detailed information:

Test Code:

`
var frisby = require('frisby');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

var CONF = process.env['CONF'];
var config = require('../config/' + CONF);
var data = require('../tests_data/batch_data.json');

frisby.globalSetup({
request: {
strictSSL: false,
rejectUnauthorized: false,
headers: {'Authorization': 'token'},
inspectOnFailure: true
}
});

frisby.create('Test#1: Sunny Day scenario')
.post(config.api_url + data.api_endpoint, data.test_strace, {rejectUnauthorized: false}, {json: true})
.inspectHeaders()
.inspectRequest()
.inspectJSON()
.expectJSON(data.batch_test_response_1)
.toss();
`

Execution Error:
Error-1
Message: Error: Error parsing JSON string: Unexpected token D Given: Destination URL may be down or URL is invalid, Error: ESOCKETTIMEDOUT Stacktrace: Error: Error parsing JSON string: Unexpected token D Given: Destination URL may be down or URL is invalid, Error: ESOCKETTIMEDOUT at _jsonParse (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1219:11) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:650:20) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1074:43) at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)

Error-2

Message: TypeError: Cannot read property 'headers' of undefined Stacktrace: TypeError: Cannot read property 'headers' of undefined at Frisby.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:894:20) at Frisby.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:940:8) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1112:18) at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)

What should be updated here to fix these issues?

Thanks

add this and it should solve it:

https.globalAgent.options.rejectUnauthorized = false;