Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Node.js request module and POODLE

openssl thrown in the callback of a node.js request module request:

error: Error: 140735274562320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1293:SSL alert number 40

    at SlabBuffer.use (tls.js:235:18)
    at CleartextStream.read [as _read] (tls.js:455:29)
    at CleartextStream.Readable.read (_stream_readable.js:341:10)
    at EncryptedStream.write [as _write] (tls.js:369:25)
    at doWrite (_stream_writable.js:226:10)
    at writeOrBuffer (_stream_writable.js:216:5)
    at EncryptedStream.Writable.write (_stream_writable.js:183:11)
    at write (_stream_readable.js:602:24)
    at flow (_stream_readable.js:611:7)
    at Socket.pipeOnReadable (_stream_readable.js:643:5)
    at Socket.emit (events.js:92:17)
    at emitReadable_ (_stream_readable.js:427:10)
    at emitReadable (_stream_readable.js:423:5)
    at readableAddChunk (_stream_readable.js:166:9)
    at Socket.Readable.push (_stream_readable.js:128:10)
    at TCP.onread (net.js:529:21)

Make sure you're not making the request under the 'SSLv3_method'. The server you're hitting may have added protection against incoming requests using this method. Check the method here by logging out options.agentOptions: https://github.com/request/request/blob/f0acc0b3e0bbc8a57d3418ab93eadbf162089514/request.js#L317

If you see secureProtocol: 'SSLv3_method', try removing that option.

You can also test with openssl only to verify: https://gist.github.com/3rd-Eden/715522f6950044da45d8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment