HTTP2 connection to HTTPS server in the Node 19 with error ECONNRESET

[Aleksey28]

Version

v19.8.1

Platform

Microsoft Windows NT 10.0.19045.0 x64

Subsystem

TLS/SSL

What steps will reproduce the bug?

Run https server:

//server.js
const https      = require('https');
const selfSigned = require('openssl-self-signed-certificate');

const options = {
  key: selfSigned.key,
  cert: selfSigned.cert
};

https.createServer(options, (req, res) => {
    res.writeHead(200);
    res.end('hello world\n');
}).listen(3000);

Then use http2.connect to connect with this server:

//connection.js
const http2 = require('http2');

const session = http2.connect('https://127.0.0.1:3000/');

session.on('error', (err) => {
  console.error(err);
});

session.on('connect', () => {
  console.log('connected')
});

You can use your own https options instead of openssl-self-signed-certificate. It doesn't matter.

How often does it reproduce? Is there a required condition?

It happens permanently in Node 19.

What is the expected behavior? Why is that the expected behavior?

The event connect should be triggered

What do you see instead?

Node 19 doesn't execute connect and rise an error:

Error: Client network socket disconnected before secure TLS connection was established
    at connResetException (node:internal/errors:717:14)
    at TLSSocket.onConnectEnd (node:_tls_wrap:1613:19)
    at TLSSocket.emit (node:events:524:35)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  code: 'ECONNRESET',
  path: undefined,
  host: '127.0.0.1',
  port: '3000',
  localAddress: undefined
}

Additional information

If run this example on Node before the 19 version, another error will rise but at least the connect event will be triggered.

[bnoordhuis]

The event connect should be triggered

You say 'what' but not 'why'.

FWIW, I don't think it's a reasonable expectation. It's appropriate that no connection/session is established when the server uses an invalid certificate. If older node versions behaved differently, that only means node became more correct over time.

(I'm counting self-signed as invalid because such a certificate doesn't validate against any trust anchors.)

[Aleksey28]

I need to check the connection for developing purposes. And it works fine till the 19 version. When I'm creating a new valid openssl certificate and use it instead of openssl-self-signed-certificate, the error rises anyway. I wrote about it, that it doesn't matter whether using openssl-self-signed-certificate or personal certificate. I can't find a solution to this problem and don't understand what I need to do. And yes first of all I also assumed that problem with openssl-self-signed-certificate, but creating a new certificate doesn't help.

[bnoordhuis]

You pass an options object to http2.connect() that disables TLS verification. The options object is passed on to tls.connect(); consult the documentation for that method.

Alternatively, you can pass a .createConnection callback if you want still more control over how the TLS connection is established.

I'm converting this to a discussion because there's no bug here, node is behaving as it should.

[Aleksey28]

But I don't pass any options object to http2.connect(), only url.

[bnoordhuis]

Exactly. You will want to change that.

[Aleksey28]

Is there perhaps a way to mock this behavior for the 'self-signed' certificate?