Node-fetch: Disable SSL verification

node.js node-fetch

49,012

Solution 1

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Will ensure you ignore any rejected TLS certificates, or you can set this as an environment variable when running your node service. However this will likely not help, and is probably a bad idea. The SSL error is not because the certificate is invalid (such as a self signed certificate) but instead because of a weak Diffie-Hellman key in the SSL/TLS configuration.

If this a service you're hosting you should look at correcting and improving your TLS/SSL cyphers. See this answer for more information.

The important part is:

You should use 2048-bit Diffie-Hellman groups or larger. You should not be using 512-bit or 1024-bit Diffie-Hellman groups.

If this is a third party service, you should consider contacting them or using a different service as they are leaving themselves open to the Logjam attack which is also discussed in the answer linked above.

Solution 2

The other way to do is to set your own agent to the fetch call.

const fetch = require('node-fetch');
const https = require('https');

const httpsAgent = new https.Agent({
      rejectUnauthorized: false,
    });

const response = await fetch(url, {
      method: 'POST',
      headers: headers,
      body: body,
      agent: httpsAgent,
    });

49,012

Author by

Allan Martins

Updated on July 09, 2022

Comments

Allan Martins almost 2 years

I have the following code, which is run from a express server:

import fetch from 'node-fetch';

let formBody = [];

const dataLogin = {
      'username': 'myUser',
      'password': 'myPassword'
};

for (let p in dataLogin) {
   let encodedKey = encodeURIComponent(p);
   let encodedValue = encodeURIComponent(dataLogin[p]);
   formBody.push(encodedKey + "=" + encodedValue);
 }

 formBody = formBody.join("&");   

 const url = 'https://external-login-api.com';
 return fetch(url, {
          method: 'POST',
          headers: {
              'Content-Type': 'application/x-www-form-urlencoded',
              'Content-Length': formBody.length         
  },     
  body: formBody
 });

When I run the code I get the following error, despite being able to run the request in Postman with no problems.

{"message":"request to https://external-login-api.com failed, reason: write EPROTO 7316:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:openssl\ssl\statem\statem_clnt.c:1472:\n","type":"system","errno":"EPROTO","code":"EPROTO"}

How do I disable SSL verification for this request?

Daniel Carpio Contreras almost 5 years

I'm on a corporate network and almost everything is blocked. This answer saved my life.
Elliot Blackburn over 4 years

@DanielCarpioContreras I'm glad I could help :)
Manatax about 4 years

This is a better approach (if what you want is to Disable SSL verification for node-fetch) since it only limits the ban-lift to the case you need it (like a one off internal query), while still validating the certs of other connections (like third party services)
user232548 over 3 years

Had to set NODE_TLS_REJECT_UNAUTHORIZED to zero from powershell before running tests for the flag to take effect. Testing against .Net Core in localhost I was following the .Net Core instructions to set dev certificates.
n8jadams over 2 years

I was just running a one-off script against my https localhost server and this was exactly what I needed. Thanks.
SoundwaveUwU about 2 years

question was about fetch API, not axios library