All geek questions in one place

Disabling TLS 1.1 in node.js?

I am currently experiencing a known issue with OpenSSL on Ubuntu 12.04. This problem has already been fixed in Debian, and I expect it to be fixed soon in Ubuntu. However, at the same time, I will need a workaround.

So, is it possible to disable TLS1 in Node and have something equivalent to the tls1 switch:

 openssl s_client -tls1 -connect evernote.com:443

Here is a simple Node.js script to replicate a problem (on Ubuntu 12.04 w / OpenSSL 1.0.1)

 var https = require('https'); https.get({ host: 'www.evernote.com', path: '/', port: 443 }, function (res) { console.log('Success!'); });
+4
source share
2 answers

Judging by the documentation and sources ( 1 , 2 ), it should be possible to pass a request options object that contains something like

 options = { secureProtocol: 'TLSv1_method' }

to use TLSv1 (and only that) for this particular connection.

By default, OpenSSL SSLv23_method is used, which means using the highest version of TLS / SSL, which may be understood by both parties.

Although this is possible in OpenSSL itself, it is impossible to blacklist a specific version of TLS (as in the case of using the maximum possible version, but never the same) in node.js, as far as I can see, flags for this are not exported to node.js.

+4
source

I ran into an error where I could not connect to livefilestore.com via ssl via node. Here is the fix:

 var https = require('https'); var HTTPS_AGENT = new https.Agent({ secureProtocol: 'SSLv3_method' // default is SSLv23_method }); var req_opts = {...}; req_opts.agent = HTTPS_AGENT; https.request(req_opts, function(res) { ... });

Interestingly, I was able to reproduce the error in curl with later versions of libopenssl, but my old mailboxes did not reproduce the problem. I was able to play Ubuntu and Gentoo. When experimenting with a twist, the use of -2 always breaks (otherwise, although it does not freeze, messages are simply not supported) and -3 never reproduces the problem. I do not know if this is related at all. Without specifying -3, it tries and does not perform the SSLv3 handshake. It’s strange.

+2
source

Source: https://habr.com/ru/post/1414593/

More articles:


All Articles