make-fetch-happen icon indicating copy to clipboard operation
make-fetch-happen copied to clipboard

Published 20 hours ago verified publisher icon zkat

This library leads to insecure https connectivity

Open heri16 opened this issue 6 years ago • 0 comments

There are many reports on the lack-lustre security of many ciphers used as the default in this library. SSLv3 has been proven to be insecure.

We should add support for tls options such as secureProtocol and ciphers, ecdhCurve, honorCipherOrder, and servername.

const tls = {
  // Refer to `tls.connect()` section in
  // https://nodejs.org/api/tls.html
  // for all supported options
  secureProtocol: 'TLSv1_2_method',
  // ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
  // ecdhCurve: 'auto',
  ciphers: 'ECDHE-RSA-AES128-GCM-SHA256',
  ecdhCurve: 'secp384r1',
  honorCipherOrder: true,
  servername: 'servernameindication',
  ca: [
    fs.readFileSync('cert/AmazonRootCA1.pem'),
  ],
}

heri16 avatar Jun 12 '18 11:06 heri16