node.jssslazure-akstls1.3

Client network socket disconnected before secure TLS connection was established- nodejs app and aks node

I have nodejs application running on aks. 6 pods of the application are running. Application insight is configured in the aks. I am getting exception in app insights saying

FetchError: request to https://www.xxxxxxx.com/WebAPI/api/OJJ/Appointments/1 failed, reason: Client network socket disconnected before secure TLS connection was established

We are getting this exception intermittently only. There will be no errors for 2-3 days, then this exception will come.

Exception occurred in last 7 days enter image description here

For debugging the issue, I have done packet capture at aks node.

TLS v1.0 & v1.1 are disabled in LB, only TLS v1.2 and v1.3 are enabled.

Packet captured at aks node when we were getting frequent

enter image description here

Packet captured at aks node when there was no exception

enter image description here

Successful communications are happening on TLS v1.3 and all failed communications are happening on either v1.0 or v1.1.

Question : How can we ensure that application will communicate only on TLS v1.2 or v1.3 with the server ? Is it something needs to done from application code or from container image or from aks node configuration.

Solution

  • To address the intermittent TLS issues, you're encountering with your Node.js application running in AKS, where successful communications are using TLS v1.3 but failures are occurring when older TLS versions are attempted, you can check out the below example-

    Your question- Is it something needs to done from application code? Yes, ensure that every HTTPS request initiated by your Node.js application specifies TLS v1.2 or v1.3. This can be done using the https module in Node.js, configuring the minVersion and maxVersion options.

    const https = require('https');
const fs = require('fs');

const options = {
  hostname: 'www.example.com',
  port: 443,
  path: '/api/data',
  method: 'GET',
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('cert.pem'),
  ca: fs.readFileSync('ca.pem'),
  minVersion: 'TLSv1.2', // Minimum version of TLS
  maxVersion: 'TLSv1.3'  // Maximum version of TLS
};

const req = https.request(options, (res) => {
  console.log(`STATUS: ${res.statusCode}`);
  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(`problem with request: ${e.message}`);
});

req.end();

    Alternatively, you can configure the container image to use only TLS v1.2 or v1.3 by setting the NODE_OPTIONS environment variable to --tls-min-v1.2 or --tls-min-v1.3, respectively. Finally, you can configure the AKS node to only allow TLS v1.2 and v1.3 by modifying the Schannel-specific registry keys as described in the TLS 1.2 Upgrade Workflow article

    ENV NODE_OPTIONS="--tls-min-v1.2"

    References: