72966

Forcing TLS 1.1 or higher on node.js

Question:

I'm trying to create a server that would use TLS 1.1 or higher.

This is my current TLS configuration:

var options = {}; options.key = fs.readFileSync('privatekey.pem'); options.cert = fs.readFileSync('certificate.pem'); options.secureProtocol = 'TLSv1_server_method'; options.ciphers = "AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"; options.honorCipherOrder = true; httpServer = https.createServer(options, app);

Just as was suggested <a href="http://nodejs.org/dist/v0.10.17/docs/api/tls.html#tls_tls_createserver_options_secureconnectionlistener" rel="nofollow">here</a>

From reading Openssl's guide <a href="http://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS" rel="nofollow">here</a> I didn't find anything about TLS 1.1

Any suggestions?

Answer1:

TLS 1.0 should no longer be used. This works to disable TLS 1.0 in node.js:

https.createServer({ secureOptions: require('constants').SSL_OP_NO_TLSv1, pfx: fs.readFileSync(path.resolve(pathToCert)) }, app).listen(443);

You can verify this using this tool: <a href="https://www.ssllabs.com/ssltest/" rel="nofollow">ssllabs</a>

Answer2:

This did the trick:

options.secureProtocol = 'SSLv23_server_method'; options.ciphers = "AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH";

The right place to look for it was <a href="https://www.openssl.org/docs/ssl/SSL_CTX_new.html" rel="nofollow">here</a>

Recommend