make-fetch-happen
make-fetch-happen copied to clipboard
This library leads to insecure https connectivity
There are many reports on the lack-lustre security of many ciphers used as the default in this library. SSLv3 has been proven to be insecure.
We should add support for tls options such as secureProtocol
and ciphers
, ecdhCurve
, honorCipherOrder
, and servername
.
const tls = {
// Refer to `tls.connect()` section in
// https://nodejs.org/api/tls.html
// for all supported options
secureProtocol: 'TLSv1_2_method',
// ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
// ecdhCurve: 'auto',
ciphers: 'ECDHE-RSA-AES128-GCM-SHA256',
ecdhCurve: 'secp384r1',
honorCipherOrder: true,
servername: 'servernameindication',
ca: [
fs.readFileSync('cert/AmazonRootCA1.pem'),
],
}