[Nodejs][TLS] How to disable TLS 1.0 1.1 and set ssl ciphers in Node.JS.
Code Here:
const constants = require('crypto').constants;
...
ssl.secureOptions = constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1;
ssl.ciphers = getCapCiphers().join(':') + ':!MD5:!aNULL';
// create server
server = https.createServer(ssl, app);
...
function getCapCiphers() {
/*
reference:
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
*/
return [
'ECDHE-RSA-AES128-GCM-SHA256', // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
'ECDHE-RSA-AES256-GCM-SHA384', // TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
'ECDHE-RSA-AES128-SHA256', // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
'ECDHE-RSA-AES256-SHA384', // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
'AES256-GCM-SHA384', // TLS_RSA_WITH_AES_256_GCM_SHA384
'AES256-SHA256', // TLS_RSA_WITH_AES_256_CBC_SHA256
'AES128-GCM-SHA256', // TLS_RSA_WITH_AES_128_GCM_SHA256
'AES128-SHA256', // TLS_RSA_WITH_AES_128_CBC_SHA256
// default value:
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
// 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
// 'TLS_RSA_WITH_AES_256_CBC_SHA',
// 'TLS_RSA_WITH_AES_128_CBC_SHA'
];
}
Node:
You can use nmap to scan host server
$ nmap -p 10632 --script ssl-enum-ciphers 123.45.67.89
Reference:
https://nodejs.org/api/tls.html
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
https://nodejs.org/api/crypto.html
By Benjamin Wang 20200120
網誌管理員已經移除這則留言。
回覆刪除