Conductance server SSL safety

23 views
Skip to first unread message

shant...@gmail.com

unread,
Feb 1, 2016, 1:48:17 PM2/1/16
to StratifiedJS
When reviewing this documentation:
https://conductance.io/reference#sjs:nodejs/http::withServer

I do not see parameters which can be used to configure what encryption ciphers/protocols to use. By default, the server seems to be using at least one vulnerable protocol (SSLv3) and one vulnerable cipher suite (RC4). Is there an undocumented way of configuring the server to disable these?

shant...@gmail.com

unread,
Feb 2, 2016, 1:35:26 AM2/2/16
to StratifiedJS
I was able to solve this by making the changes below. Hopefully, someone will chime in and tell me there was a better (easier?) way.

1. Modify portions of the file http.sjs in the stratifiedjs node_module used by the conductance node_module. The modifications will allow the needed config.mho settings to make it all the way into the node server started by conductance.
...

function withServer(config, server_loop) {
 
// detangle configuration:
 
if (typeof config != 'object')
    config
= { address: config };

  config
= override({
    address
: '0',
    max_connections
: 1000,
    capacity
: 100,
    ssl
: false,
    key
: undefined,
    cert
: undefined,
    ca
: undefined,
    passphrase
: undefined,
    fd
: undefined,
    log
: x => logging.info(address, ":", x),
    secureOptions
: undefined,
    secureProtocol
: undefined,
    ciphers
: undefined
 
}, config);

...

 
var server;
 
if (!config.ssl)
    server
= builtin_http.createServer(dispatchRequest);
 
else{
    server
= require('https').createServer(
     
{
        key
: undefined,
        cert
: undefined,
        ca
: undefined,
        passphrase
: undefined,
        secureOptions
: undefined,
        secureProtocol
: undefined,
        ciphers
: undefined
     
} .. override(config),
      dispatchRequest
);
 
}

...


2. Add the following to the address section of the config.mho file:
...

var address = @Port(port, host);
  if (opts.ssl) {
    address = address.ssl({
      secureProtocol: 'SSLv23_method',
      secureOptions: constants.SSL_OP_NO_SSLv3,
      key: @fs.readFile("#{process.cwd()}/ssl/privkey.pem"),
      cert: @fs.readFile("#{process.cwd()}/ssl/cert.pem"),
      ciphers: [
          "ECDHE-RSA-AES128-SHA256",
          "DHE-RSA-AES128-SHA256",
          "AES128-GCM-SHA256",
          "!RC4", // RC4 be gone
          "HIGH",
          "!MD5",
          "!aNULL"
      ].join(':')
    });

  }

...

Alexander Fritze

unread,
Feb 2, 2016, 11:29:09 AM2/2/16
to strati...@googlegroups.com, shant...@gmail.com
Hi Shante,

Thanks a lot for pointing out those shortfalls and coming up with a
solution! I'll add your modifications to the stratifiedjs/conductance
github repositories.

We'll try to get new stratifiedjs/conductance releases out soon.

Cheers,
Alex
> --
> You received this message because you are subscribed to the Google Groups
> "StratifiedJS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to stratifiedjs...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages