Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: more secure defaults #826

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 18 additions & 30 deletions doc/api/tls.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,10 @@ To create a self-signed certificate with the CSR, do this:

Alternatively you can send the CSR to a Certificate Authority for signing.

(TODO: docs on creating a CA, for now interested users should just look at
`test/fixtures/keys/Makefile` in the Node source code)
For Perfect Forward Secrecy, it is required to generate Diffie-Hellman
parameters:

openssl dhparam -outform PEM -out dhparam.pem 2048

To create .pfx or .p12, do this:

Expand Down Expand Up @@ -136,31 +138,20 @@ automatically set as a listener for the [secureConnection][] event. The
- `crl` : Either a string or list of strings of PEM encoded CRLs (Certificate
Revocation List)

- `ciphers`: A string describing the ciphers to use or exclude.

To mitigate [BEAST attacks] it is recommended that you use this option in
conjunction with the `honorCipherOrder` option described below to
prioritize the non-CBC cipher.

Defaults to
`ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL`.
Consult the [OpenSSL cipher list format documentation] for details
on the format.
- `ciphers`: A string describing the ciphers to use or exclude, seperated by
`:`. The default cipher suite is:

`ECDHE-RSA-AES128-SHA256`, `DHE-RSA-AES128-SHA256` and
`AES128-GCM-SHA256` are TLS v1.2 ciphers and used when io.js is
linked against OpenSSL 1.0.1 or newer, such as the bundled version
of OpenSSL. Note that it is still possible for a TLS v1.2 client
to negotiate a weaker cipher unless `honorCipherOrder` is enabled.
ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA

`RC4` is used as a fallback for clients that speak on older version of
the TLS protocol. `RC4` has in recent years come under suspicion and
should be considered compromised for anything that is truly sensitive.
It is speculated that state-level actors possess the ability to break it.

**NOTE**: Previous revisions of this section suggested `AES256-SHA` as an
acceptable cipher. Unfortunately, `AES256-SHA` is a CBC cipher and therefore
susceptible to [BEAST attacks]. Do *not* use it.
The default cipher suite prefers ECDHE and DHE ciphers for Perfect Forward
secrecy, while offering *some* backward compatibiltity. Old clients which
rely on insecure and deprecated RC4 or DES-based ciphers (like Internet
Explorer 6) aren't able to complete the handshake with the default
configuration. If you absolutely must support these clients, the
[TLS recommendations] may offer a compatible cipher suite. For more details
on the format, see the [OpenSSL cipher list format documentation].

- `ecdhCurve`: A string describing a named curve to use for ECDH key agreement
or false to disable ECDH.
Expand All @@ -178,11 +169,7 @@ automatically set as a listener for the [secureConnection][] event. The
times out.

- `honorCipherOrder` : When choosing a cipher, use the server's preferences
instead of the client preferences.

Although, this option is disabled by default, it is *recommended* that you
use this option in conjunction with the `ciphers` option to mitigate
BEAST attacks.
instead of the client preferences. Default: `true`.

- `requestCert`: If `true` the server will request a certificate from
clients that connect and attempt to verify that certificate. Default:
Expand Down Expand Up @@ -812,3 +799,4 @@ The numeric representation of the local port.
[ECDHE]: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman
[asn1.js]: http://npmjs.org/package/asn1.js
[OCSP request]: http://en.wikipedia.org/wiki/OCSP_stapling
[TLS recommendations]: https://wiki.mozilla.org/Security/Server_Side_TLS
6 changes: 3 additions & 3 deletions lib/_tls_wrap.js
Original file line number Diff line number Diff line change
Expand Up @@ -703,10 +703,10 @@ Server.prototype.setOptions = function(options) {
if (options.sessionTimeout) this.sessionTimeout = options.sessionTimeout;
if (options.ticketKeys) this.ticketKeys = options.ticketKeys;
var secureOptions = options.secureOptions || 0;
if (options.honorCipherOrder)
this.honorCipherOrder = true;
if (options.honorCipherOrder !== undefined)
this.honorCipherOrder = !!options.honorCipherOrder;
else
this.honorCipherOrder = false;
this.honorCipherOrder = true;
if (secureOptions) this.secureOptions = secureOptions;
if (options.NPNProtocols) tls.convertNPNProtocols(options.NPNProtocols, this);
if (options.sessionIdContext) {
Expand Down
23 changes: 18 additions & 5 deletions lib/tls.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,24 @@ exports.CLIENT_RENEG_WINDOW = 600;

exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;

exports.DEFAULT_CIPHERS =
// TLS 1.2
'ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' +
// TLS 1.0
'RC4:HIGH:!MD5:!aNULL';
exports.DEFAULT_CIPHERS = [
'ECDHE-RSA-AES256-SHA384',
'DHE-RSA-AES256-SHA384',
'ECDHE-RSA-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'ECDHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'HIGH',
'!aNULL',
'!eNULL',
'!EXPORT',
'!DES',
'!RC4',
'!MD5',
'!PSK',
'!SRP',
'!CAMELLIA'
].join(':');

exports.DEFAULT_ECDH_CURVE = 'prime256v1';

Expand Down