Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLSv1.3 cipher suites supported #42059

Open
thernstig opened this issue Feb 20, 2022 · 12 comments
Open

TLSv1.3 cipher suites supported #42059

thernstig opened this issue Feb 20, 2022 · 12 comments
Labels
crypto Issues and PRs related to the crypto subsystem. doc Issues and PRs related to the documentations. question Issues that look for answers. tls Issues and PRs related to the tls subsystem.

Comments

@thernstig
Copy link
Contributor

thernstig commented Feb 20, 2022

Affected URL(s)

https://nodejs.org/api/tls.html

Description of the problem

The page states:

node/doc/api/tls.md

Lines 360 to 370 in 53364a2

There are only five TLSv1.3 cipher suites:
* `'TLS_AES_256_GCM_SHA384'`
* `'TLS_CHACHA20_POLY1305_SHA256'`
* `'TLS_AES_128_GCM_SHA256'`
* `'TLS_AES_128_CCM_SHA256'`
* `'TLS_AES_128_CCM_8_SHA256'`
The first three are enabled by default. The two `CCM`-based suites are supported
by TLSv1.3 because they may be more performant on constrained systems, but they
are not enabled by default since they offer less security.

However executing tls.getCiphers() shows:

[
  'aes128-gcm-sha256',
  'aes128-sha',
  'aes128-sha256',
  'aes256-gcm-sha384',
  'aes256-sha',
  'aes256-sha256',
  'dhe-psk-aes128-cbc-sha',
  'dhe-psk-aes128-cbc-sha256',
  'dhe-psk-aes128-gcm-sha256',
  'dhe-psk-aes256-cbc-sha',
  'dhe-psk-aes256-cbc-sha384',
  'dhe-psk-aes256-gcm-sha384',
  'dhe-psk-chacha20-poly1305',
  'dhe-rsa-aes128-gcm-sha256',
  'dhe-rsa-aes128-sha',
  'dhe-rsa-aes128-sha256',
  'dhe-rsa-aes256-gcm-sha384',
  'dhe-rsa-aes256-sha',
  'dhe-rsa-aes256-sha256',
  'dhe-rsa-chacha20-poly1305',
  'ecdhe-ecdsa-aes128-gcm-sha256',
  'ecdhe-ecdsa-aes128-sha',
  'ecdhe-ecdsa-aes128-sha256',
  'ecdhe-ecdsa-aes256-gcm-sha384',
  'ecdhe-ecdsa-aes256-sha',
  'ecdhe-ecdsa-aes256-sha384',
  'ecdhe-ecdsa-chacha20-poly1305',
  'ecdhe-psk-aes128-cbc-sha',
  'ecdhe-psk-aes128-cbc-sha256',
  'ecdhe-psk-aes256-cbc-sha',
  'ecdhe-psk-aes256-cbc-sha384',
  'ecdhe-psk-chacha20-poly1305',
  'ecdhe-rsa-aes128-gcm-sha256',
  'ecdhe-rsa-aes128-sha',
  'ecdhe-rsa-aes128-sha256',
  'ecdhe-rsa-aes256-gcm-sha384',
  'ecdhe-rsa-aes256-sha',
  'ecdhe-rsa-aes256-sha384',
  'ecdhe-rsa-chacha20-poly1305',
  'psk-aes128-cbc-sha',
  'psk-aes128-cbc-sha256',
  'psk-aes128-gcm-sha256',
  'psk-aes256-cbc-sha',
  'psk-aes256-cbc-sha384',
  'psk-aes256-gcm-sha384',
  'psk-chacha20-poly1305',
  'rsa-psk-aes128-cbc-sha',
  'rsa-psk-aes128-cbc-sha256',
  'rsa-psk-aes128-gcm-sha256',
  'rsa-psk-aes256-cbc-sha',
  'rsa-psk-aes256-cbc-sha384',
  'rsa-psk-aes256-gcm-sha384',
  'rsa-psk-chacha20-poly1305',
  'srp-aes-128-cbc-sha',
  'srp-aes-256-cbc-sha',
  'srp-rsa-aes-128-cbc-sha',
  'srp-rsa-aes-256-cbc-sha',
  'tls_aes_128_ccm_8_sha256',
  'tls_aes_128_ccm_sha256',
  'tls_aes_128_gcm_sha256',
  'tls_aes_256_gcm_sha384',
  'tls_chacha20_poly1305_sha256'
]

Notice how tls_aes_128_ccm_sha256 and tls_aes_128_ccm_8_sha256 is part of that list.

How can it then be true that the first example states they are not enabled?

@thernstig thernstig added the doc Issues and PRs related to the documentations. label Feb 20, 2022
@richardlau
Copy link
Member

I suspect this is either fixed by #41864 (yet to be released) or a documentation bug.
cc @nodejs/crypto

@tniessen
Copy link
Member

As stated in the documentation, tls.getCiphers() returns the list of supported ciphers. But not all supported ciphers are enabled by default:

node/doc/api/tls.md

Lines 276 to 278 in 53364a2

Node.js is built with a default suite of enabled and disabled TLS ciphers. This
default cipher list can be configured when building Node.js to allow
distributions to provide their own default list.

By default, the TLS 1.3 CCM ciphers are disabled (look at crypto.constants.defaultCoreCipherList). But they are supported, so you can manually enable them.

@tniessen tniessen added the question Issues that look for answers. label Feb 20, 2022
@Mesteery Mesteery added crypto Issues and PRs related to the crypto subsystem. tls Issues and PRs related to the tls subsystem. labels Feb 21, 2022
@thernstig
Copy link
Contributor Author

@tniessen, thanks, that does make a bit more sense. I am thinking documentation could be more clear here, as it might not be immediately obvious. The key term supported is easy to misinterpret. To remedy this, I would recommend to add to tls.getCiphers() some note stating that something like

Note that this is not the same as the enabled cipher suites. Enabled cipher suites are just a subset of the supported cipher suites.

In addition, crypto also has the constant crypto.constants.defaultCipherList, which shows the list of cipher suites configured (enabled/disabled etc.) following the format of openssl ciphers. This is not mentioned anywhere on https://nodejs.org/api/tls.html, but it is a good constant to know about. Should that be mentioned somewhere as well under Modifying the default TLS cipher suite?

Last but not least, would it make sense to extend tls.getCiphers() to allow for a parameter that could get the ciphers that ones is after in a more standarized way. For example I might change the --tls-cipher-list and then call tls.getCiphers(enabled) to only get enabled ciphers. In this case it works to use crypto.constants.defaultCipherList, but having parameters to getCiphers() could also add possibilities like if I use --tls-min-v1.3 there could be a parameter enum to only display the ones used by default. Maybe this would all become to unwieldy complex, but it's just a suggestion.

Other changes I would make in the docs

First change

Current

Node.js is built with a default suite of enabled and disabled TLS ciphers

Proposal

Node.js is built with a default list of enabled and disabled TLS cipher suites

Reasoning
Each string like TLS_AES_256_GCM_SHA384 is a cipher suite in itself. So what is presented is a list of cipher suites.

Second change

Rename heading Modifying the default TLS cipher suite to Modifying the default TLS cipher suites. It is plural after all.

@thernstig
Copy link
Contributor Author

thernstig commented Feb 21, 2022

How do I know which suites are enabled in the Node.js version I am using? For example, the default set of enabled cipher suites is mentioned to be:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA256
HIGH
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!SRP
!CAMELLIA

If I execute this on openssl (OpenSSL 1.1.1f 31 Mar 2020) on my machine I get:

> openssl ciphers -v "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA"
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

The reason for this is the HIGH that the default cipher suites list includes.

But is there any way to view this in Node.js like this, i.e. the full suite of enabled ones? My suggestion above about tls.getCiphers() might remedy this. But is there any way to get this list already now?

@tniessen
Copy link
Member

I am thinking documentation could be more clear here, as it might not be immediately obvious. The key term supported is easy to misinterpret. To remedy this, I would recommend to add to tls.getCiphers() some note

I had the same thought yesterday and opened #42063 :) I'll look at additional documentation improvements later.

How do I know which suites are enabled in the Node.js version I am using?

There is currently no way to expand the configured list into a list of all the cipher suites. If you need a specific list of cipher suites, you can configure it directly. The format is, unfortunately, specific to OpenSSL. Luckily, with the transition to TLS 1.3 that explicitly lists the few enabled cipher suites, this should not be an issue in the future.

@thernstig
Copy link
Contributor Author

thernstig commented Feb 21, 2022

Great if you can look at the rest of the doc suggestions :)

There is currently no way to expand the configured list into a list of all the cipher suites.

But there could be, if an API change was made to tls.getCiphers() to accept parameters?

What makes this even more confusing (in regards to enabled vs. disabled) is the output of these:

/*
 * Output from tls.getCiphers()
 */
[
  'aes128-gcm-sha256',
  'aes128-sha',
  'aes128-sha256',
  'aes256-gcm-sha384',
  'aes256-sha',
  'aes256-sha256',
  'dhe-psk-aes128-cbc-sha',
  'dhe-psk-aes128-cbc-sha256',
  'dhe-psk-aes128-gcm-sha256',
  'dhe-psk-aes256-cbc-sha',
  'dhe-psk-aes256-cbc-sha384',
  'dhe-psk-aes256-gcm-sha384',
  'dhe-psk-chacha20-poly1305',
  'dhe-rsa-aes128-gcm-sha256',
  'dhe-rsa-aes128-sha',
  'dhe-rsa-aes128-sha256',
  'dhe-rsa-aes256-gcm-sha384',
  'dhe-rsa-aes256-sha',
  'dhe-rsa-aes256-sha256',
  'dhe-rsa-chacha20-poly1305',
  'ecdhe-ecdsa-aes128-gcm-sha256',
  'ecdhe-ecdsa-aes128-sha',
  'ecdhe-ecdsa-aes128-sha256',
  'ecdhe-ecdsa-aes256-gcm-sha384',
  'ecdhe-ecdsa-aes256-sha',
  'ecdhe-ecdsa-aes256-sha384',
  'ecdhe-ecdsa-chacha20-poly1305',
  'ecdhe-psk-aes128-cbc-sha',
  'ecdhe-psk-aes128-cbc-sha256',
  'ecdhe-psk-aes256-cbc-sha',
  'ecdhe-psk-aes256-cbc-sha384',
  'ecdhe-psk-chacha20-poly1305',
  'ecdhe-rsa-aes128-gcm-sha256',
  'ecdhe-rsa-aes128-sha',
  'ecdhe-rsa-aes128-sha256',
  'ecdhe-rsa-aes256-gcm-sha384',
  'ecdhe-rsa-aes256-sha',
  'ecdhe-rsa-aes256-sha384',
  'ecdhe-rsa-chacha20-poly1305',
  'psk-aes128-cbc-sha',
  'psk-aes128-cbc-sha256',
  'psk-aes128-gcm-sha256',
  'psk-aes256-cbc-sha',
  'psk-aes256-cbc-sha384',
  'psk-aes256-gcm-sha384',
  'psk-chacha20-poly1305',
  'rsa-psk-aes128-cbc-sha',
  'rsa-psk-aes128-cbc-sha256',
  'rsa-psk-aes128-gcm-sha256',
  'rsa-psk-aes256-cbc-sha',
  'rsa-psk-aes256-cbc-sha384',
  'rsa-psk-aes256-gcm-sha384',
  'rsa-psk-chacha20-poly1305',
  'srp-aes-128-cbc-sha',
  'srp-aes-256-cbc-sha',
  'srp-rsa-aes-128-cbc-sha',
  'srp-rsa-aes-256-cbc-sha',
  'tls_aes_128_ccm_8_sha256',
  'tls_aes_128_ccm_sha256',
  'tls_aes_128_gcm_sha256',
  'tls_aes_256_gcm_sha384',
  'tls_chacha20_poly1305_sha256'
]
/*
 * Output from openssl  (OpenSSL 1.1.1f 31 Mar 2020) on my machine:
 * openssl ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA" | tr ':' '\n'
 * (lowercased and sorted alphabetically)
 */
[
  'aes128-ccm',
  'aes128-ccm8',
  'aes128-gcm-sha256',
  'aes128-sha',
  'aes128-sha256',
  'aes256-ccm',
  'aes256-ccm8',
  'aes256-gcm-sha384',
  'aes256-sha',
  'aes256-sha256',
  'aria128-gcm-sha256',
  'aria256-gcm-sha384',
  'dhe-dss-aes128-gcm-sha256',
  'dhe-dss-aes128-sha',
  'dhe-dss-aes128-sha256',
  'dhe-dss-aes256-gcm-sha384',
  'dhe-dss-aes256-sha',
  'dhe-dss-aes256-sha256',
  'dhe-dss-aria128-gcm-sha256',
  'dhe-dss-aria256-gcm-sha384',
  'dhe-rsa-aes128-ccm',
  'dhe-rsa-aes128-ccm8',
  'dhe-rsa-aes128-gcm-sha256',
  'dhe-rsa-aes128-sha',
  'dhe-rsa-aes128-sha256',
  'dhe-rsa-aes256-ccm',
  'dhe-rsa-aes256-ccm8',
  'dhe-rsa-aes256-gcm-sha384',
  'dhe-rsa-aes256-sha',
  'dhe-rsa-aes256-sha256',
  'dhe-rsa-aria128-gcm-sha256',
  'dhe-rsa-aria256-gcm-sha384',
  'dhe-rsa-chacha20-poly1305',
  'ecdhe-aria128-gcm-sha256',
  'ecdhe-aria256-gcm-sha384',
  'ecdhe-ecdsa-aes128-ccm',
  'ecdhe-ecdsa-aes128-ccm8',
  'ecdhe-ecdsa-aes128-gcm-sha256',
  'ecdhe-ecdsa-aes128-sha',
  'ecdhe-ecdsa-aes128-sha256',
  'ecdhe-ecdsa-aes256-ccm',
  'ecdhe-ecdsa-aes256-ccm8',
  'ecdhe-ecdsa-aes256-gcm-sha384',
  'ecdhe-ecdsa-aes256-sha',
  'ecdhe-ecdsa-aes256-sha384',
  'ecdhe-ecdsa-aria128-gcm-sha256',
  'ecdhe-ecdsa-aria256-gcm-sha384',
  'ecdhe-ecdsa-chacha20-poly1305',
  'ecdhe-rsa-aes128-gcm-sha256',
  'ecdhe-rsa-aes128-sha',
  'ecdhe-rsa-aes128-sha256',
  'ecdhe-rsa-aes256-gcm-sha384',
  'ecdhe-rsa-aes256-sha',
  'ecdhe-rsa-aes256-sha384',
  'ecdhe-rsa-chacha20-poly1305',
  'tls_aes_128_gcm_sha256',
  'tls_aes_256_gcm_sha384',
  'tls_chacha20_poly1305_sha256',
];

There is a large difference between these. Mind you, this is partly due to the openssl version I am using when viewing this, but since there is no way to show the full list of what HIGH means in the context of the openssl lib Node.js was built with, I cannot know what will be allowed with my server.

This is important for some projects, as they need export control to show the available TLS cipher suites used.

Is there absolutely no way for me to know this then from the Node.js version I am using, with any of the built-in commands?

@thernstig
Copy link
Contributor Author

thernstig commented Feb 21, 2022

To be more clear, the last post I made shows me that there are supported suites (via tls.getciphers()) that do not even exist in the cipher suite list I get from my openssl ciphers command with the enabled suites in Node.js. This is... weird. How can suites be supported, but not exist in the enabled suites?

(Could be due to different openssl lib versions, but the difference is rather big)

@alaminhb

This comment was marked as off-topic.

nodejs-github-bot pushed a commit that referenced this issue Feb 22, 2022
PR-URL: #42063
Refs: #42059
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Harshitha K P <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: James M Snell <[email protected]>
@tniessen
Copy link
Member

There is a large difference between these.

The two lists you posted are identical. Maybe I'm misunderstanding. Could you clarify this please?

@thernstig
Copy link
Contributor Author

thernstig commented Feb 23, 2022

@tniessen I had copy & pasted the wrong content into one of the examples. Updated now. Thanks for notifying me.

I also wrote #42077 in regards to additions to tls.getCiphers().

@tniessen
Copy link
Member

To be more clear, the last post I made shows me that there are supported suites (via tls.getciphers()) that do not even exist in the cipher suite list I get from my openssl ciphers command with the enabled suites in Node.js. This is... weird. How can suites be supported, but not exist in the enabled suites?

Because Node.js intentionally disables some supported cipher suites by default. For example, the two TLSv1.3 CCM cipher suites are both supported and disabled by default:

node/doc/api/tls.md

Lines 368 to 370 in 38626e7

The first three are enabled by default. The two `CCM`-based suites are supported
by TLSv1.3 because they may be more performant on constrained systems, but they
are not enabled by default since they offer less security.

Your browser might be doing the same thing (depending on the hardware), at least mine does.

sxa pushed a commit to sxa/node that referenced this issue Mar 7, 2022
PR-URL: nodejs#42063
Refs: nodejs#42059
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Harshitha K P <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: James M Snell <[email protected]>
danielleadams pushed a commit to danielleadams/node that referenced this issue Apr 21, 2022
PR-URL: nodejs#42063
Refs: nodejs#42059
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Harshitha K P <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: James M Snell <[email protected]>
danielleadams pushed a commit that referenced this issue Apr 24, 2022
PR-URL: #42063
Refs: #42059
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Harshitha K P <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: James M Snell <[email protected]>
danielleadams pushed a commit that referenced this issue Apr 24, 2022
PR-URL: #42063
Refs: #42059
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Harshitha K P <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: James M Snell <[email protected]>
danielleadams pushed a commit that referenced this issue Apr 24, 2022
PR-URL: #42063
Refs: #42059
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Harshitha K P <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: James M Snell <[email protected]>
@RopoMen
Copy link

RopoMen commented Jan 11, 2024

This issue is for TLSv1.3 ciphers, but anyways. I noticed that current Node.js default cipher suite list contains these two ciphers: ECDHE-RSA-AES256-SHA256 and DHE-RSA-AES256-SHA384

Which ARE NOT in the supported ciphers list through tls.getCiphers() is this a documentation bug? Implementation bug? Or are those two ciphers added into the list for the future?

Default cipher suite documentation states that The default cipher suite included within Node.js has been carefully selected to reflect current security best practices and risk mitigation. if those are carefully selected then there should be reason why those two ciphers are added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. doc Issues and PRs related to the documentations. question Issues that look for answers. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

No branches or pull requests

7 participants
@tniessen @richardlau @RopoMen @thernstig @Mesteery @alaminhb and others