diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2012-08-22 00:27:13 +0400 |
---|---|---|
committer | Ben Noordhuis <info@bnoordhuis.nl> | 2012-08-22 00:27:13 +0400 |
commit | badbd1af27f5f3fd07862b8ee7d0810e7ae9ef56 (patch) | |
tree | 75d58772b7db876a79d2bb2599607cc18c6474f3 /lib | |
parent | 7c75ca7182872c95c798e192ed28c1c610b1024b (diff) |
tls: update default cipher list
Update the default cipher list from RC4-SHA:AES128-SHA:AES256-SHA
to ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
in order to mitigate BEAST attacks.
The documentation suggested AES256-SHA but unfortunately that's a CBC cipher
and therefore susceptible to attacks.
Fixes #3900.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/tls.js | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/tls.js b/lib/tls.js index 71a2724e149..aaafd526d35 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -29,6 +29,9 @@ var END_OF_FILE = 42; var assert = require('assert').ok; var constants = require('constants'); +var DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + // TLS 1.2 + 'RC4:HIGH:!MD5:!aNULL:!EDH' // TLS 1.0 + // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more // renegotations are seen. The settings are applied to all remote client @@ -1031,7 +1034,7 @@ function Server(/* [options], listener */) { passphrase: self.passphrase, cert: self.cert, ca: self.ca, - ciphers: self.ciphers || 'RC4-SHA:AES128-SHA:AES256-SHA', + ciphers: self.ciphers || DEFAULT_CIPHERS, secureProtocol: self.secureProtocol, secureOptions: self.secureOptions, crl: self.crl, |