Guest Cohee Posted April 18 Share Posted April 18 First of all, I'm not an ESET user or customer. I'm a maintainer of an open-source NodeJS application called SillyTavern. Yesterday (April 17, 2024) around 16:00 UTC I started receiving reports from users that they couldn't connect to secure hosts through the app, and a GitHub issue was raised. The source of the issue comes from the fact that the users have an incomplete certificate chain on their system, and unlike web browsers that use TLS AIA extension or use their own CA bundle, Node does not automatically complete the certificate chain, which results in an OpenSSL error like the follows (full error log in a linked issue): Quote FetchError: request to https://api.cohere.ai/v1/models failed, reason: unable to verify the first certificate Accessing the affected hosts (an example list below) through a web browser does not result in an error due to the reasons I stated above: https://api.cohere.ai/ https://api.novelai.net https://openrouter.ai/ After some investigations with the author of GitHub issues, it was found that it only affects users who are using ESET antivirus products. There are more than 5 affected users so far who reported this either on GitHub or in the Discord community. ESET NOD32 17.1.9.0 on Windows 10 (unknown winver) ESET Smart Security 17.0.16.0 on Windows 10 22H2 It is important to clarify, that it is not a bug of the specific application as it affects all outgoing connections from other apps that do not implement the TLS AIA extension, here's a minimal reproducible example of a script that results in the same error for the affected users: https://gist.github.com/Cohee1207/10774c05392e1f15f0f5ceac2559e106 The users were also asked to run the following command to connect to an affected host directly by using the OpenSSL client, which resulted in a failed SSL handshake (Verification error: unable to get local issuer certificate): Quote openssl s_client -connect api.novelai.net:443 The full output can be found here: https://gist.github.com/Cohee1207/0cf589be525a64e928e3e7260232f8d4 Also, the users confirmed that running Windows in Safe mode, removing ESET products from their system, or adding Node to a list of exceptions for SSL protection seemed to have fixed their issue. I'm looking forward to your reply. Link to comment
Administrators Marcos 5,273 Posted April 18 Administrators Share Posted April 18 Please raise a support ticket so that the issue can be reproduced and logs relayed to the developers for perusal. Link to comment
Guest Upset ESET Customer Posted April 18 Share Posted April 18 I have confirmed the same behavior. As a customer of ESET, all of our dev machines were having "unable to verify the first certificate" with nodejs. Removing ESET SSL protection fixed the issue. This only occurred this morning. Link to comment
Guest Same problem here Posted April 18 Share Posted April 18 We need a fix for this. Link to comment
Administrators Marcos 5,273 Posted April 18 Administrators Share Posted April 18 Please raise a support ticket so that the issue can be reproduced and logs relayed to the developers for perusal. Link to comment
itman 1,748 Posted April 18 Share Posted April 18 11 hours ago, Guest Cohee said: Accessing the affected hosts (an example list below) through a web browser does not result in an error due to the reasons I stated above: https://api.cohere.ai/ https://api.novelai.net https://openrouter.ai/ Only URL I could access w/o issue using latest ver. of Firefox was for openrouter.ai. The other two URLs resulted in; Link to comment
Guest guest7 Posted April 18 Share Posted April 18 You need to access HTTPS via Node/NPM which already typically fails validation whenever an intermediate cert is not provided. Modern browsers rarely surface chain issues. It's very easy to replicate using any node JS application, application error responses happen post SSL negotiation so don't matter. It's a shame this forum exists yet a useful post with all relevant info is ignored until a support ticket is raised. This issue caused a huge headache, and OP posting this was a huge help in confirming it wasn't an isolated issue. Link to comment
Guest Julien Bras Posted April 18 Share Posted April 18 It's easily reproductible here with this as mentioned by the OP: https://gist.github.com/Cohee1207/10774c05392e1f15f0f5ceac2559e106 It causing headaches here in my company. I have already open a case (#YWH-412-64908 on https://customers.eset-nod32.fr )but no answer yet. Thanks for the action on that. Link to comment
Guest kevin morizur Posted April 19 Share Posted April 19 I confirm the need for a fix we have more than 3000 machines running with ESET NOD32 17.1.9.0 on Windows 10 and that are facing similar issue when accessing https service from nodejs application. Eset is adding its own certificate in the chain which is not valid for nodejs. We can see that ESET certifcate has been updated on april 17th. An "easy" fix if you have only few machines is to deactivate ssl option for configuration. We already raised ticket yesterday morning without any answer... Link to comment
Administrators Marcos 5,273 Posted April 19 Administrators Share Posted April 19 The issue has been reported to developers. P_EESW-11455 Link to comment
Guest Siemer Posted April 19 Share Posted April 19 Many hours of work lost thanks to this bug. For reference, here are a few common error messages: npm ERR! code UNABLE_TO_VERIFY_LEAF_SIGNATURE npm ERR! request to https://registry.npmjs.org/... failed, reason: unable to verify the first certificate Error downloading and extracting template package: Error: npm exited with non-zero code: 1 In old messages an often recommended solution is to run npm config set strict-ssl false which just disables SSL all together and is obviously a bad idea. The current solution is to disable HTTPS traffic scanning in the advanced settings. This should be fixed asap, many developers depend on node. Link to comment
Administrators Marcos 5,273 Posted April 19 Administrators Share Posted April 19 It is not actually a bug, we merely started to scan nodejs communication in order to detect nodejs malware payload. An easy solution is to tell nodejs to use the system CA cert.. store by running: node --use-openssl-ca https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs Alternatively (less safe) you can add nodejs executable to the list of applications excluded from TLS filtering. Link to comment
Guest Rob Lang @MCO Posted April 19 Share Posted April 19 Quote It's not actually a bug No, it's much worse. You willfully pushed out a change without warning that brings down line of business systems. That's negligence. I get the sense that you don't fully understand how serious this is. I have raised a ticket and will be pursuing. Link to comment
Guest Roman Posted April 19 Share Posted April 19 Hi Eset, I've been a customer of yours for several years and I'm having serious problems with this new "feature". I can't develop anything and my work is stuck. Your suggestion does not work node --use-openssl-ca .\dist\apps\api\main.js I get an error: TypeError: fetch failed at node:internal/deps/undici/undici:12500:13 for process.processTicksAndRejections (node:internal/process/task_queues:95:5) { [Cause] Failure: Could not verify the first certificate on TLSSocket.onConnectSecure (node:_tls_wrap:1674:34) on TLSSocket.emit (node:events:519:28) on TLSSocket.emit (node:domain:488:12) at TLSSocket._finishInit (node:_tls_wrap:1085:8) at ssl.onhandshakeone (node:_tls_wrap:871:12) on TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) { code code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' } } } Is it possible to disable this behaviour or do I need to uninstall Eset? Link to comment
Guest Rob Lang Posted April 19 Share Posted April 19 Quote An easy solution is to tell nodejs to use the system CA cert.. store by running: node --use-openssl-ca This solution not possible when deploying to a server using GitHub Action Runner because GitHub Actions does not let you specify command line arguments for security reaons. Furthermore, adding in TLS exception is unwise because the location of the node exe can change. Right now, my server using GitHub Action Runner and ESET Server Security 11 has the following installations of node: C:\actions-runner\externals.2.315.0\node16\bin\node.exe C:\actions-runner\externals.2.315.0\node20\bin\node.exe C:\actions-runner\externals.2.314.1\node16\bin\node.exe C:\actions-runner\externals.2.314.1\node20\bin\node.exe In a few weeks when the GHA runner is updated, there will be a new folder and the TLS exception won't include it and my deployment will fail. I need to add root cause anaylsis into our ISO27001 Information Management Systems. What was the root cause of your release without warning that directly affects business line systems? Can we expect a public blog article explaining the change, how it was signed off and what mitigations will be performed in the future? What assurance can you give that you won't release another security update without warning that might grossly affect a business line system? I've raised this on the UK support ticket (CASE_00747921) but have been told that "Head Office" is the right place and that is here. Link to comment
itman 1,748 Posted April 19 Share Posted April 19 40 minutes ago, Guest Rob Lang said: I've raised this on the UK support ticket (CASE_00747921) but have been told that "Head Office" is the right place and that is here. No. The Eset forum is not the proper place to pursue this matter. Eset headquarters info shown below; Link to comment
Administrators Marcos 5,273 Posted April 19 Administrators Share Posted April 19 It is also possible to create exclusions from filtering by IP addresses and certificates as a workaround. Link to comment
Guest Josh Posted April 19 Share Posted April 19 This is also affecting all of our builds for our test and production systems. Link to comment
Guest Pachomar Posted April 19 Share Posted April 19 Lost a full day of work thanks to this "feature". As a paying costumer, I hope you address this issue ASAP Link to comment
Guest Tim Posted April 20 Share Posted April 20 Any update on this? Is there a fix for this being worked on? Unable to continue development work without disabling HTTPS, which is obviously an incredibly bad idea! Link to comment
Guest Anon Posted April 20 Share Posted April 20 I have formatted my computer and have been looking for the problem for 3 days. And the source of the problem is ESET, I need this fixed as soon as possible. Link to comment
Guest Siemer Posted April 20 Share Posted April 20 No need to disable https, just disable this incredibly shortsighted feature in the advanced settings. Marcos, are you serious? It's intended behavior to BREAK NODE (and some functionality of React Native Expo) and it's up to us to switch to system CA cert. store? I hope you are doing everything you can to push an update that reverts this nonsense, or I will be pushing for a different security provider that actually respects their clients. Link to comment
Guest _JV Posted April 20 Share Posted April 20 Thanks to this thread I was able to provide a workaround to my customers who opened a support ticket. I'm personally an ESET customer and I'm disappointed that an update that breaks all Node applications got rolled out, was identified as faulty here, and several days later, the update has not been rolled back. This is a high severity incident and should be handled as such. Link to comment
itman 1,748 Posted April 20 Share Posted April 20 3 hours ago, Guest Siemer said: No need to disable https, just disable this incredibly shortsighted feature in the advanced settings. Are you referring to disabling Eset Browser Script Scanner? Link to comment
Guest Siemer Posted April 20 Share Posted April 20 This setting: (image from this SO thread: https://stackoverflow.com/questions/78343601/node-unable-to-verify-the-first-certificate) Link to comment
Recommended Posts