63

I have an Ubuntu VM that is having trouble connecting to sites with ssl, i.e. https. It can successfully download artifacts from the internet if the url begins with http.

npm install will download dependencies via https. Is there anyway make it download via http?

Holger Just
  • 52,918
  • 14
  • 115
  • 123
Ken Hirakawa
  • 7,831
  • 10
  • 38
  • 49
  • What errors do you get when downloading using HTTPS? – Bruno Jan 16 '12 at 00:48
  • It hangs for a while, then I get this -> https://gist.github.com/1619128 – Ken Hirakawa Jan 16 '12 at 04:52
  • 1
    Rather than posting this error message on gist.github, you should edit your question and put it there. It doesn't say anything about HTTPS, though. Anything in the additional logs? – Bruno Jan 16 '12 at 10:07

4 Answers4

145

Try changing the registry to the http version rather that the default https one using the command

npm config set registry http://registry.npmjs.org/
colinf
  • 1,866
  • 1
  • 12
  • 8
  • 3
    notice that you need to to the same with an additional `sudo` if you want to install global packages with the `-g` flag – lordvlad Jan 14 '14 at 20:32
  • 1
    this fixed my issue and may be helpful for anyone else who is also behind a proxy / web firewall and is receiving errors at `SSL23_GET_SERVER_HELLO` on installs. – meklarian Jul 22 '15 at 14:40
  • 1
    I did just that and still get the same error. Log shows that npm queries using http but I still get the unkown protocol ssl – FrenchFigaro Jan 25 '18 at 14:00
  • 1
    this opens up for security vulnerabilities – matanster Mar 19 '18 at 21:20
14

As conlinf said, the following should work :

npm config set registry http://registry.npmjs.org/

Now, to add my word, you should also consider that downloading without ssl allows a man-in-the-middle attack. It is only to add a warning to people who would read the post.

If you are a solo developer there should be not much trouble downloading in http directly, but if I wanted to attack a company using node.js I would consider delivering malicious code through npm... And performing such an attack without ssl will be much easier.

Creasixtine
  • 740
  • 3
  • 11
  • 33
  • Can you explain how you'd do this? – Mukus Sep 10 '15 at 00:39
  • 4
    @Mukus DNS has been compromised many times by setting up local rogue DNS, thus hijacking "registry.npmjs.org" for the target servers. Because there is no TLS, there is no handshake verification of the npm server via certificate signing with a root authority. The rouge npm server behind the rouge DNS could deliver whatever code it wants, which is run during npm install. – thesmart Apr 27 '16 at 20:54
  • +1 for security reasons. I was having issues with npm over `https` at work, signing into our VPN solved the issue for me. – Roy Aug 01 '16 at 13:54
14

After much trial and error I found that in addition to all that was said above, I also need to set the https-proxy to the value of the http proxy.

So the end .npmrc file looks like

proxy=http://username:password@proxy.address:port/
https-proxy=http://username:password@proxy.address:port/
strict-ssl=false
registry=http://registry.npmjs.org/

Note that proxy and https-proxy are identical!

See the comments on this thread for more info:

https://github.com/npm/npm/issues/8034

Also I ran a npm cache clean --force after updating the npmrc for good measure but I am not sure if it is required.

Hope that helps.

phyatt
  • 18,472
  • 5
  • 61
  • 80
4

changing ssl-strict worked for me behind a corporate firewall

npm config set ssl-strict=false

Jeremy Fiel
  • 140
  • 10