Node.js sample configurations? #20
Comments
|
Great idea. Can you provide some example configs to work from? |
|
Well, I'm not any sort of HTTPS or HTTPS-in-Node expert, but I can definitely throw in some example configs (from my own code and the docs) that perhaps can serve as the basis for experts to modify? var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem'),
ciphers: [
'ECDHE-RSA-AES256-SHA384',
'DHE-RSA-AES256-SHA384',
'ECDHE-RSA-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'ECDHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'HIGH',
'!aNULL',
'!eNULL',
'!EXPORT',
'!DES',
'!RC4',
'!MD5',
'!PSK',
'!SRP',
'!CAMELLIA'
].join(':'),
ecdhCurve: 'prime256v1', // this is the default
honorCipherOrder: true,
secureOptions: require('constants').SSL_OP_NO_SSLv3|require('constants').SSL_OP_NO_TLSv1|require('constants').SSL_OP_NO_SSLv2
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8000, '127.0.0.1');Most of that configuration is from the Node.js TLS documentation, with bits from the HTTPS documentation and the list of ciphers from io.js's default list (more discussion on that list is on the pull request). Again, I'm not qualified to certify or recommend this configuration, but hopefully it can serve as a starting point! |
|
It might be better to simply port the whole thing to node. ie, rather than generate a config, and loading that with node, have a module that sets options accordingly - that way, when the module is updated, the cyphers are updated. |
|
I definitely like the idea of an NPM module, or perhaps a collection of them for each of the compatibility options. Perhaps something that would simplify the code above to something like: var https = require('https');
var fs = require('fs');
var mozTLS = require('moz-tls');
var options = mozTLS.modern({
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
});
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8000, '127.0.0.1');or some such. Perhaps it could even validate the keys themselves to conform to recommendations? |
|
@dahjelle exactly. I'm going to have a go at this tomorrow, will let you know once 0.0.1 is published. |
|
@mikemaccana Sweet! Thanks! I'm looking forward to it! |
|
Just published: https://www.npmjs.com/package/ssl-config which in turn relies on another new package https://www.npmjs.com/package/minimum-tls-version |
|
@mikemaccana Awesome! Thanks for doing this—I've put it on my list to implement in our app. Much appreciated! |
|
So it looks likes this is completed now that @mikemaccana published his npm. If there's any way you can think of for future Mozilla ciphersuite changes to be rendered into your nodejs module, let me know. Nothing clever is coming to mind. |
|
@gene1wood I'm now watching the |
I realize configuring a Node.js server is a bit of a different beast than the other servers…but it'd be nice to have some examples of how to configure the built-in HTTPS server in Node.js to your recommendations.
Thanks for the great resource!
The text was updated successfully, but these errors were encountered: