Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

node-libcurl crashes accidentally on insecure request to host with bad ssl cert

See original GitHub issue

Hello. I want to make insecure request (ignore any problems with ssl certificates). But script crashes accidentally. Here is a script:

const { Curl, CurlFeature } = require('node-libcurl');

const curl = new Curl()
const url = 'https://expired.badssl.com/'

console.log(Curl.getVersionInfoString())
console.log(Curl.VERSION_NUM)

curl.setOpt('URL', url)

// or use an already defined constant
// curl.setOpt(Curl.option.CONNECTTIMEOUT, 5)
curl.setOpt(Curl.option.FOLLOWLOCATION, true)
curl.setOpt(Curl.option.SSL_VERIFYHOST, false)
curl.setOpt(Curl.option.SSL_VERIFYPEER, false);
curl.setOpt(Curl.option.CUSTOMREQUEST, 'GET');
curl.setOpt(Curl.option.VERBOSE, true);


curl.on('end', (statusCode, body, headers, curlInstance) => {
  curl.close()
})

// Error will be a JS error, errorCode will be the raw error code (as int) returned from libcurl
curl.on('error', (error, errorCode) => {
  curl.close()
})

// this triggers the request
curl.perform()

// It's async, so it does not block the Node.js thread
console.log('I will show before the request starts')

Here is a output.

Version: libcurl/7.64.1 OpenSSL/1.1.0j zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libssh2/1.9.0 nghttp2/1.39.2
Protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Features: AsynchDNS, IDN, IPv6, Largefile, NTLM, NTLM_WB, SSL, libz, brotli, TLS-SRP, HTTP2, UnixSockets, HTTPS-proxy
475137
I will show before the request starts
*   Trying 104.154.89.105...
* TCP_NODELAY set
* Connected to expired.badssl.com (104.154.89.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.badssl.com
*  start date: Apr  9 00:00:00 2015 GMT
*  expire date: Apr 12 23:59:59 2015 GMT
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify result: certificate has expired (10), continuing anyway.
> GET / HTTP/1.1
Host: expired.badssl.com
User-Agent: node-libcurl/2.0.3
Accept: */*

< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Mon, 16 Mar 2020 04:59:59 GMT
< Content-Type: text/html
< Content-Length: 494
< Last-Modified: Wed, 22 Jan 2020 16:30:37 GMT
< Connection: keep-alive
< ETag: "5e2878ad-1ee"
< Cache-Control: no-store
< Accept-Ranges: bytes
free(): invalid next size (fast)
[1]    9130 abort      node strict-ssl-bug.js

Issue Analytics

State:
Created 4 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

JCMaiscommented, Apr 12, 2020

I’m closing this as v2.1.0 (see the release page for full changelog) has been finally released. 🎉

1reaction

JCMaiscommented, Apr 8, 2020

This probably was an issue with libcurl itself, seems to be fixed on the prerelease version available at node-libcurl@next, which uses libcurl 7.69.1, this version will be released as 2.1.0 next week.

Top Results From Across the Web

Avoid disabling SSL verification in node-curl | CAST Appmarq

Avoid disabling SSL verification in node-curl. Rule Definition Ensure the developer will work with a list of trusted source.

9 Security Tips to Keep Express from Getting Pwned

Security is really hard to get right. There are so many different factors to consider, countless different ways to break an application.

Knowledge Base - JFrog

SubjectIf your JMX monitoring application requires SSL, this guide will describe how to set up the certificates.Supported VersionsArtifactory 6.X and 7.X (7.X ...

Supplemental Document: BIG-IP 14.0.0 Fixes and Known Issues

705730, 2-Critical, Config fails to load due to invalid SSL cipher after upgrade ... A rare TMM crash with tmm SIGFPE 'valid node'...

Ignore invalid self-signed ssl certificate in node.js with https ...

Cheap and insecure answer: Add process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;. in code, before calling https.request(). A more secure way (the solution ...