npm ERR! code EPROTO

There was an SSL/TLS communication error.

Frequently documented in developer and vendor support forums.

• Outdated Node.js version
• Corporate proxy interference
• Network security software

1. Update Node.js to latest LTS
2. Check proxy SSL settings
3. Try npm config set strict-ssl false

Last reviewed: March 2026 How we review solutions

EPROTO is a protocol-level error that occurs during the TLS/SSL handshake between npm and the registry server. The error means the client and server could not agree on encryption parameters, or the encrypted connection was interrupted. Corporate proxy servers are the most common cause—many organizations use HTTPS-intercepting proxies (also called SSL inspection or MITM proxies) that replace the registry's TLS certificate with their own corporate certificate. When npm does not trust the proxy's certificate authority (CA), the handshake fails. Outdated Node.js versions are the second most common cause: older Node versions use OpenSSL builds that lack support for newer TLS protocols and ciphers. If the registry server requires TLS 1.3 and your Node.js only supports up to TLS 1.2, the connection fails at the protocol negotiation stage. Misconfigured system clocks can also trigger EPROTO—TLS certificates have validity windows, and a system clock set far in the past or future makes valid certificates appear expired or not-yet-valid, aborting the handshake. VPN software that modifies network traffic can interfere with TLS connections, as can deep packet inspection firewalls that attempt to inspect encrypted traffic.

1. Check if you are behind a corporate proxy: echo $HTTPS_PROXY
2. Verify your Node.js version supports modern TLS: node -e "console.log(process.versions.openssl)"
3. Check system clock accuracy: date
4. Try with strict SSL disabled (temporary): npm config set strict-ssl false
5. Test with curl: curl -v https://registry.npmjs.org/

Self-signed certificate on private registry

Private registries using self-signed certificates require npm to explicitly trust the CA. Set npm config set cafile /path/to/ca.pem or set NODE_EXTRA_CA_CERTS. Do not disable strict-ssl globally as it removes all certificate validation.

Node.js compiled with BoringSSL instead of OpenSSL

Some Node.js distributions (Electron, certain enterprise builds) use BoringSSL, which may not support the same cipher suites. This can cause handshake failures with registries that require specific ciphers. Use the official Node.js distribution from nodejs.org.

IPv6 connection routed through IPv4-only proxy

If the DNS returns an IPv6 address but your proxy only handles IPv4, the TLS handshake may fail at the protocol level. Force IPv4 with npm config set prefer-ipv4 true or configure the proxy to handle IPv6.

Is disabling strict-ssl safe?

Only temporarily for debugging - not for production.

Why does proxy cause this?

Proxies may use their own SSL certificates.

Is it safe to set strict-ssl to false?

Only as a temporary diagnostic step. Disabling SSL verification makes npm vulnerable to man-in-the-middle attacks—an attacker on your network could serve malicious packages. Always re-enable strict-ssl after identifying the root cause.

How do I find my corporate proxy CA certificate?

Ask your IT department for the root CA certificate in PEM format. You can also extract it from a browser: visit the registry URL, click the lock icon, view certificate chain, and export the root CA. Save it as a .pem file.

Why does EPROTO happen after a Node.js upgrade?

Newer Node.js versions may use stricter TLS defaults that reject older cipher suites or protocols. This is a security improvement. If the registry or proxy does not support modern TLS, you may need to update the proxy configuration rather than downgrading Node.

• npm install – Official npm Docs
• package.json Reference – npm Docs