Differences in https/tls between v4..v6..v8

[dikmax]

Here's code that works and actually works (connects to server) in Node 4.8.6 and Node 6.12.0, but fails to connect in Node 8.9.1

const https = require('https');

const content = '{}';

const req = https.request({
    hostname: 'api.sandbox.paydirekt.de',
    port: 443,
    path: '/api/merchantintegration/v1/token/obtain',
    method: 'POST',
    ciphers: 'ECDHE-RSA-AES256-GCM-SHA384'
}, (res) => {
    console.log('statusCode:', res.statusCode);
    console.log('headers:', res.headers);

    res.on('data', (d) => {
        process.stdout.write(d);
    });
});
req.on('error', (e) => {
    console.error(e);
});
req.write(JSON.stringify(content));
req.end();

Target server supports specified cipher and has valid certificate. Console openssl establishes the connection successfully.

$ openssl s_client -connect "api.sandbox.paydirekt.de:443" -cipher "ECDHE-RSA-AES256-GCM-SHA384"

CONNECTED(00000005)
depth=1 C = US, O = "thawte, Inc.", CN = thawte EV SSL CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.2=Hessen/1.3.6.1.4.1.311.60.2.1.1=Frankfurt am Main/businessCategory=Private Organization/serialNumber=HRB 99538/C=DE/ST=Hessen/L=Frankfurt am Main/O=Paydirekt GmbH/CN=sandbox.paydirekt.de
   i:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3
 1 s:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----

... certificate data ...

-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.2=Hessen/1.3.6.1.4.1.311.60.2.1.1=Frankfurt am Main/businessCategory=Private Organization/serialNumber=HRB 99538/C=DE/ST=Hessen/L=Frankfurt am Main/O=Paydirekt GmbH/CN=sandbox.paydirekt.de
issuer=/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3517 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3A6B6B5F6E2555F9CA8DBB0A3747491471719E96B1CFBACA111E8E030BF1C66F
    Session-ID-ctx:
    Master-Key: 921C9884628D5D46AC01E0775970CF898FE824BAA3A926FD55093C6F2B958DF239CAD17A3F392E9669B8C320DE04E46A
    Start Time: 1510592227
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I've no more ideas for fixes/workarounds. Do you have any?

All versions are latest, installed via Homebrew on latest MacOS 10.13.1.

Here are version details (process.versions):

v4:

{ http_parser: '2.7.0',
  node: '4.8.6',
  v8: '4.5.103.53',
  uv: '1.9.1',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  icu: '58.2',
  modules: '46',
  openssl: '1.0.2m' }

v6:

{ http_parser: '2.7.0',
  node: '6.12.0',
  v8: '5.1.281.108',
  uv: '1.15.0',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  icu: '58.2',
  modules: '48',
  openssl: '1.0.2m' }

v8:

{ http_parser: '2.7.0',
  node: '8.9.1',
  v8: '6.1.534.47',
  uv: '1.15.0',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  modules: '57',
  nghttp2: '1.25.0',
  openssl: '1.0.2m',
  icu: '59.1',
  unicode: '9.0',
  cldr: '31.0.1',
  tz: '2017b' }

I'll gladly provide additional details when needed.

[bnoordhuis]

Add ecdhCurve: 'auto' or ecdhCurve: 'secp384r1' to the options in node 8.

See nodejs/node#16196, ecdhCurve was supposed to default to tls.DEFAULT_ECDH_CURVE (='prime256v1') but didn't until recently.

[dikmax]

Thanks! That's actually helped!