How to disable the SSL 3.0 and TLS 1.0 in nodejs

Question

I am using nodejs in Ubuntu. and i want to disable the SSL 3.0 and TLS v1.0 both.

Here is my code

var constants = require('constants')
  , https = require('https')
  , path = require('path')
  , tls = require('tls')
  , fs = require('fs');
var sslOptions = {
  key: fs.readFileSync('/etc/ssl/private/private.key'),
  secureProtocol: 'SSLv23_server_method',
   secureOptions: constants.SSL_OP_NO_SSLv3,
    secureOptions: constants.SSL_OP_NO_TLSv1,
  cert: fs.readFileSync('/etc/ssl/certs/STAR_mycert.crt'),
  ca: [
            fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot_1.crt'),
            fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot_2.crt'),
            fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot_3.crt')
        ],
  //ca: fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot.crt'),
  requestCert: false,
  rejectUnauthorized: false
};

Now when i test my website on digicert i got following issue

any idea how to do this?

Answer 1

I don't know much about node.js but I think that you last secureOptions simply overrides the first one because you cannot have the same key multiple times in a dictionary. Since the underlying TLS stack (OpenSSL) requires that the options are combined with bitwise or try the following instead:

secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1,

Answer 2

The accepted answer is undocumented. As of Node.js v6.3.0, there actually is a documented constants attribute inside the crypto module which should be used.

...
const { constants } = require('crypto')
https.createServer({
    secureOptions: constants.SSL_OP_NO_TLSv1
}, app).listen(443)
...