Minimum TLS Version for Node 12?

Were any changes made to the Auth0 Node (Rules) platform on 7/19/2022? I ask because we started receiving TLS socket hang up errors due to TLS negotiation problems in our remote database connectivity code at 7/19/2022 1:10 UTC.

Coincidentally, Auth0 made a blog post regarding the rollout of Node 16 support on the same day. This makes me think that an internal release was performed that had some sort of indirect impact on the behavior of the Node 12 runtime (such as --tls-min-v1.x being set). Can anyone from the Auth0 team shed some light on this?

Correction on the time mentioned above: 7/20/2022 1:10 UTC.

After further research it appears that our application works properly on systems with OpenSSL v1.1.1 installed but began failing when OpenSSL v3.x is installed. I am suspecting that Auth0 began using OpenSSL v3.x around 7/20/2022 1:10 UTC. Can someone from Auth0 confirm the version of OpenSSL used in the underlying operating system for Node JS 12 rules? Also, can you please tell us what SECLEVEL is set (if any) in the OpenSSL configuration?

Hi pbrooks,

I’m sorry you had a bad experience with TLS handshakes and didn’t get a timely response here.

Generally, engineering won’t let us share the specific versions of libraries we use. I don’t know offhand if a change was made here, but the timing is certainly suspicious.

Likewise engineering would likely not share the specifics of our OpenSSL configuration, but if you can share the TLS version and cipher you were trying to use I can tell you if it should have been supported (I’m assuming you’ve worked around this by now).

It’s very suspicious that the Node 16 rollout was mentioned on 7/19/2022 and that is the same day we started having issues. After performing a root cause analysis, we are pretty certain that on 7/19/2022, Auth0 either updated the underlying operating system minimum SECLEVEL configuration or updated from OpenSSL 1.x to OpenSSL 3.x. Those are really the only two possibilities that we uncovered. It would be nice if Auth0 could at least share some details about changes that occurred on 7/19/2022 because there wasn’t anything mentioned on the release notes that should have been a breaking change. From my perspective, it seems like the release notes were tied to some internal updates that were being made that should not have caused issues, but did.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.