Conductance server SSL safety
23 views
Skip to first unread message
shant...@gmail.com
Feb 1, 2016, 1:48:17 PM2/1/16
to StratifiedJS
When reviewing this documentation:
https://conductance.io/reference#sjs:nodejs/http::withServer
I do not see parameters which can be used to configure what encryption ciphers/protocols to use. By default, the server seems to be using at least one vulnerable protocol (SSLv3) and one vulnerable cipher suite (RC4). Is there an undocumented way of configuring the server to disable these?
https://conductance.io/reference#sjs:nodejs/http::withServer
I do not see parameters which can be used to configure what encryption ciphers/protocols to use. By default, the server seems to be using at least one vulnerable protocol (SSLv3) and one vulnerable cipher suite (RC4). Is there an undocumented way of configuring the server to disable these?
shant...@gmail.com
Feb 2, 2016, 1:35:26 AM2/2/16
to StratifiedJS
I was able to solve this by making the changes below. Hopefully, someone will chime in and tell me there was a better (easier?) way.
1. Modify portions of the file http.sjs in the stratifiedjs node_module used by the conductance node_module. The modifications will allow the needed config.mho settings to make it all the way into the node server started by conductance.
2. Add the following to the address section of the config.mho file:
1. Modify portions of the file http.sjs in the stratifiedjs node_module used by the conductance node_module. The modifications will allow the needed config.mho settings to make it all the way into the node server started by conductance.
...
function withServer(config, server_loop) {
// detangle configuration:
if (typeof config != 'object')
config = { address: config };
config = override({
address: '0',
max_connections: 1000,
capacity: 100,
ssl: false,
key: undefined,
cert: undefined,
ca: undefined,
passphrase: undefined,
fd: undefined,
log: x => logging.info(address, ":", x),
secureOptions: undefined,
secureProtocol: undefined,
ciphers: undefined
}, config);
...
var server;
if (!config.ssl)
server = builtin_http.createServer(dispatchRequest);
else{
server = require('https').createServer(
{
key: undefined,
cert: undefined,
ca: undefined,
passphrase: undefined,
secureOptions: undefined,
secureProtocol: undefined,
ciphers: undefined
} .. override(config),
dispatchRequest);
}
...
2. Add the following to the address section of the config.mho file:
...
var address = @Port(port, host);
if (opts.ssl) {
address = address.ssl({
secureProtocol: 'SSLv23_method',
secureOptions: constants.SSL_OP_NO_SSLv3,
key: @fs.readFile("#{process.cwd()}/ssl/privkey.pem"),
cert: @fs.readFile("#{process.cwd()}/ssl/cert.pem"),
ciphers: [
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"AES128-GCM-SHA256",
"!RC4", // RC4 be gone
"HIGH",
"!MD5",
"!aNULL"
].join(':')
});
}
...
Alexander Fritze
Feb 2, 2016, 11:29:09 AM2/2/16
to strati...@googlegroups.com, shant...@gmail.com
Hi Shante,
Thanks a lot for pointing out those shortfalls and coming up with a
solution! I'll add your modifications to the stratifiedjs/conductance
github repositories.
We'll try to get new stratifiedjs/conductance releases out soon.
Cheers,
Alex
> --
> You received this message because you are subscribed to the Google Groups
> "StratifiedJS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to stratifiedjs...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Thanks a lot for pointing out those shortfalls and coming up with a
solution! I'll add your modifications to the stratifiedjs/conductance
github repositories.
We'll try to get new stratifiedjs/conductance releases out soon.
Cheers,
Alex
> You received this message because you are subscribed to the Google Groups
> "StratifiedJS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to stratifiedjs...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages