Adding option to disable older SSL/TLS versions #207
Conversation
Simply pass in "secureOptions" as you normally would to an https config object, and redbird will pass it along into the https proxy server.
|
this is great. Would you mind to update the README as well so that the option becomes visible to other users? |
|
All done! I've added the option with a little explanation in the README, @manast |
|
Fantastic, thanks! |
|
@James9074 can you do something about the advisory https://www.npmjs.com/advisories/828? Isn't there a mitigation available now, i.e. since 0.9.1? |
|
@Macroz That's odd, it says I reported it, but I never submitted anything to NPM... I wonder how they managed to scrape this? Since 0.9.1, it's been easy to mitigate. Update: https://snyk.io/vuln/SNYK-JS-REDBIRD-174455 I'll email the NPM team and ask them to fix this. SNYK correctly lists this as < 0.9.1 while NPM reports <= 0.9.1 I'll update here once I have that fixed. Update (x2): I've emailed the npm team and CC'd you, @Macroz |
|
Thanks I think it just got fixed! |
In response to Issue 206 - this change allows one to optionally pass in "secureOptions" when starting an https proxy, as you normally would to an https config object - redbird will pass it along into the https proxy server and you can effectively disable TLS 1.0 (or other older, vulnerable versions of SSL/TLS).
See the following for an example of disabling TLS 1.0 in a node https server: https://stackoverflow.com/questions/31201029/how-to-disable-tls-1-0-and-use-only-tls-1-1-using-nodejs
Note that I have tested this both with and without this new option. It works as expected and has no effect on existing redbird deployments.