[Nodejs][TLS] How to disable TLS 1.0 1.1 and set ssl ciphers in Node.JS.

Before




After



Code Here:



const constants = require('crypto').constants;

...

ssl.secureOptions = constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1;
ssl.ciphers = getCapCiphers().join(':') + ':!MD5:!aNULL';
// create server
server = https.createServer(ssl, app);

...

function getCapCiphers() {
    /*
        reference:
        https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
    */
    return [
        'ECDHE-RSA-AES128-GCM-SHA256', // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        'ECDHE-RSA-AES256-GCM-SHA384', // TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        'ECDHE-RSA-AES128-SHA256', // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        'ECDHE-RSA-AES256-SHA384', // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        'AES256-GCM-SHA384', // TLS_RSA_WITH_AES_256_GCM_SHA384
        'AES256-SHA256', // TLS_RSA_WITH_AES_256_CBC_SHA256
        'AES128-GCM-SHA256', // TLS_RSA_WITH_AES_128_GCM_SHA256
        'AES128-SHA256', // TLS_RSA_WITH_AES_128_CBC_SHA256
        // default value:
        // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
        // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
        // 'TLS_RSA_WITH_AES_256_CBC_SHA',
        // 'TLS_RSA_WITH_AES_128_CBC_SHA'
    ];
}


Node:
You can use nmap to scan host server

$ nmap -p 10632 --script ssl-enum-ciphers 123.45.67.89


Reference:
https://nodejs.org/api/tls.html
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
https://nodejs.org/api/crypto.html

By Benjamin Wang 20200120

留言

張貼留言

熱門文章