ERR_SSL_VERSION_OR_CIPHER_MISMATCH with node v7.9.0 https

Question

This code creates an https server in node v7.9.0 (the version Electron currently uses), and listens on port 8000:

require('https').createServer(
  {},
  (req, res) => {
    res.writeHead(200);
    res.end('hello world/n');
  }
).listen(8000);

Unfortunately, when I visit https://localhost:8000 in Chrome with the server running, I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH. How do I get past this error? How do I find out which ciphers the server is making available and which protocol it is using (hopefully the newest version of TLS)?

EDIT This error also occurs on node v8.5.0, the newest stable version of Node at time of writing

Answer 1

Late but: normally an SSL/TLS server including an HTTPS server needs a privatekey and (matching) certificate or chain to use for the publickey algorithms in the SSL/TLS handshake. See How to create an HTTPS server in Node.js? for examples.

Technically there are some 'anonymous' key-exchange mechanisms defined in the protocol that do not need a key&cert, but they are widely considered not adequately secure, and are disabled in OpenSSL (and thus nodejs) by default. There are also some key-exchange mechanisms using non-publickey algorithms like PSK, SRP, Kerberos, but they are much more difficult to use and require special configuration that I don't believe can be done with nodejs (and you certainly didn't do).

Thus without a key&cert, and without the anonymous or other special key-exchanges enabled, the set of ciphersuites supported by the server is the empty set with no elements -- and every connection attempt you make fails because the empty set never has a nonempty intersection with the set of ciphersuites offered by the client(s).

I think you can still find out which protocol version(s) it supports by looking at the version of the alert returned for different ClientHello versions, but I'm not sure what good this would do. In any case OpenSSL has supported TLS 1.0 through 1.2 since OpenSSL 1.0.1 released in 2012, and even nodejs 7.9.0 is quite a bit newer than 2012. OpenSSL also supports SSLv3 but in recent versions it is disabled or excluded from the build by default; if your version still includes it you should not use it because the POODLE attack breaks it. (This would normally occur only if you use a very old client that is capable only of SSLv3 and not any TLS, so don't use such clients.) Actually OpenSSL below 1.1.0 'supports' SSLv2 in that the code is still present, but the default configuration disables it; SSLv2 has long been broken and prohibited and you should definitely not use it.

As of Sep. 2018, OpenSSL 1.1.1 is released and supports TLS 1.3 as well. I don't know if/when nodejs uses/supports this.