Skip to content
This repository has been archived by the owner on Jun 12, 2022. It is now read-only.

This library leads to insecure https connectivity #58

Open
heri16 opened this issue Jun 12, 2018 · 0 comments
Open

This library leads to insecure https connectivity #58

heri16 opened this issue Jun 12, 2018 · 0 comments

Comments

@heri16
Copy link

heri16 commented Jun 12, 2018

There are many reports on the lack-lustre security of many ciphers used as the default in this library.
SSLv3 has been proven to be insecure.

We should add support for tls options such as secureProtocol and ciphers, ecdhCurve, honorCipherOrder, and servername.

const tls = {
  // Refer to `tls.connect()` section in
  // https://nodejs.org/api/tls.html
  // for all supported options
  secureProtocol: 'TLSv1_2_method',
  // ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
  // ecdhCurve: 'auto',
  ciphers: 'ECDHE-RSA-AES128-GCM-SHA256',
  ecdhCurve: 'secp384r1',
  honorCipherOrder: true,
  servername: 'servernameindication',
  ca: [
    fs.readFileSync('cert/AmazonRootCA1.pem'),
  ],
}
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@heri16