Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to disable tls 1.0 and use only tls 1.1 using nodejs

Tags:

node.js

ssl

I want to disable the TLS v1.0 and use TLS 1.1 and above only.

By nodejs, I use the https module, how to set the https options?

I have read the api doc node api tls, but I still don't know how to set this.

I think it depends on the secureProtocol and cipher, but I just don't know how to set the value.

My node version is 0.10.36, and openssl version is 0.9.8j.

like image 398
shangyin Avatar asked Jul 03 '15 07:07

shangyin


People also ask

Is TLS 1.1 disabled by default?

TLS 1.0/1.1 will not be disabled by default for Internet Explorer and EdgeHTML (the rendering engine for the WebView control) until 2022. Organizations that wish to disable TLS 1.0 and TLS 1.1 before that time may do so using Group Policy.


1 Answers

Marco's solution worked for me, but as TLS 1.1 is also considered a vulnerability, it is better to disable both and go with TLS 1.2

const { constants } = require('crypto')
https.createServer({
    secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
    pfx: fs.readFileSync(path.resolve(pathToCert))
}, app).listen(443)
like image 60
kormathaw A Avatar answered Oct 07 '22 14:10

kormathaw A