TLS connect: ECONNRESET

[NuSkooler]

• Version: 8.9.1
• Platform: Linux TEST 4.13.0-37-generic rename node.js -> io.js #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
• Subsystem: tls

I'm attempting to create a "raw" TLS connection to a server such that I can obtain the certificate information. For the server in question, I always get ECONNRESET. However, I can openssl s_client -connect ip:port just fine.

To reproduce:

const tls = require('tls');

function main() {  
  const opts = {
    port : 40050,
    host : '10.30.3.190',
    rejectUnauthorized : false,
  };

  const sock = tls.connect(opts, () => {    
    console.log(sock.getPeerCertificate());
  });

  sock.setEncoding('utf8');

  sock.on('error', err => {
    console.log('ERROR:');
    console.log(err); //  ECONNRESET
  });
}

main();

Example with debug:

NET 6236: pipe false undefined
STREAM 6236: read 0
STREAM 6236: need readable false
STREAM 6236: length less than watermark true
STREAM 6236: do read
NET 6236: _read
NET 6236: _read wait for connection
NET 6236: afterConnect
TLS 6236: start
NET 6236: _read
NET 6236: Socket._read readStart
STREAM 6236: read 0
STREAM 6236: need readable true
STREAM 6236: length less than watermark true
STREAM 6236: reading or ended false
NET 6236: onread -4095
NET 6236: EOF
STREAM 6236: emitReadable null
STREAM 6236: emit readable
STREAM 6236: flow null
NET 6236: onSocketEnd ReadableState {
  objectMode: false,
  highWaterMark: 16384,
  buffer: BufferList { head: null, tail: null, length: 0 },
  length: 0,
  pipes: null,
  pipesCount: 0,
  flowing: null,
  ended: true,
  endEmitted: false,
  reading: false,
  sync: false,
  needReadable: false,
  emittedReadable: true,
  readableListening: false,
  resumeScheduled: false,
  destroyed: false,
  defaultEncoding: 'utf8',
  awaitDrain: 0,
  readingMore: false,
  decoder: 
   StringDecoder {
     encoding: 'utf8',
     fillLast: [Function: utf8FillLast],
     lastNeed: 0,
     lastTotal: 0,
     lastChar: <Buffer 98 20 1c 02> },
  encoding: 'utf8' }
STREAM 6236: read 0
NET 6236: onSocketFinish
NET 6236: oSF: ended, destroy ReadableState {
  objectMode: false,
  highWaterMark: 16384,
  buffer: BufferList { head: null, tail: null, length: 0 },
  length: 0,
  pipes: null,
  pipesCount: 0,
  flowing: null,
  ended: true,
  endEmitted: false,
  reading: false,
  sync: false,
  needReadable: false,
  emittedReadable: true,
  readableListening: false,
  resumeScheduled: false,
  destroyed: false,
  defaultEncoding: 'utf8',
  awaitDrain: 0,
  readingMore: false,
  decoder: 
   StringDecoder {
     encoding: 'utf8',
     fillLast: [Function: utf8FillLast],
     lastNeed: 0,
     lastTotal: 0,
     lastChar: <Buffer 98 20 1c 02> },
  encoding: 'utf8' }
NET 6236: destroy
NET 6236: close
NET 6236: close handle
ERROR:
{ Error: socket hang up
    at TLSSocket.onHangUp (_tls_wrap.js:1135:19)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)
    at TLSSocket.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1056:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback (internal/process/next_tick.js:180:9)
  code: 'ECONNRESET',
  path: undefined,
  host: '10.30.3.190',
  port: 40050,
  localAddress: undefined }
NET 6236: emit close

One more tid-bit of information: Given the code above but with a different port/host (e.g. 443/www.google.com) works fine.

[ozette]

Can confirm. I don't have this issue with version 6.1.0 of Node, but with 9.10.1 I do.
I used n to roll back the node version because of the ECONNRESET...

[tniessen]

Probably related to #16196, @nodejs/crypto.

[bnoordhuis]

I can't try the test case because of the internal IP address but the ecdhCurve change is the most likely cause, yes.

I'll close this out. If it turns out it's not that, can you update with more information and, preferably, steps for someone else to independently confirm? Thanks.