What's the proper way to disable "early TLS" (TLS 1.0) in node?

406 views
Skip to first unread message

Arthur Blake

unread,
Apr 14, 2016, 7:08:55 PM4/14/16
to nodejs
What's the proper way to disable "early TLS" (TLS 1.0) in node? Apparently this is now required for PCI compliance on new websites - see https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf

Ben Noordhuis

unread,
Apr 15, 2016, 2:31:21 PM4/15/16
to nod...@googlegroups.com
To disable TLS v1.0 but not v1.1 or v1.2, pass `{ secureOptions:
require('constants').SSL_OP_NO_TLSv1 }` to tls.createServer() or
tls.connect().

Arthur Blake

unread,
Apr 18, 2016, 8:43:50 PM4/18/16
to nodejs
Thank you so much! It works. I wish this was in the API docs somewhere (I spent countless hours searching for this!)
I would think having TLS 1.0 disabled (with 1.1 and 1.2 enabled) should soon be the default configuration for Node...
TLS 1.0 seems reasonably secure (especially compared to SSLv2 and SSLv3), but is not PCI compliant for credit card transactions...
And modern browsers support TLS 1.1 and 1.2 pretty well (for quite some time now.)
Reply all
Reply to author
Forward
0 new messages