Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add options for overriding TLS ciphers used #5915

Merged
merged 3 commits into from Mar 10, 2024
Merged

Add options for overriding TLS ciphers used #5915

merged 3 commits into from Mar 10, 2024

Conversation

HuFlungDu
Copy link
Contributor

Added some config options to allow the TLS ciphers used by Meshcentral to be configured by the user. Tested for working on the webserver, but I am not knowledgeable enough about the Meshcentral repo to know if this is all the changes that should be made to enable this ability.

@HuFlungDu
Add the ability to set TLS cipher suites
94f7c7c 
Added config option to set the TLS ciphers instead of relying on a hardcoded list of ciphers determined by meshcentral.
@HuFlungDu
Added option to use default node ciphers
8ca9a6f 
This allows the ciphers used to be set to the recommended ciphers by nodejs, as well as allowing the user to override the ciphers using the "--tls-cipher-list" command line switch for node.
@si458
Copy link
Collaborator

si458 commented Mar 8, 2024

this is so nearly there!
you need to add the extra args to be allowed in meshcentral.js line 142 validArguments

@HuFlungDu
Copy link
Contributor Author

Added the options to validArguments. Thanks!

@Ylianst Ylianst merged commit 150e233 into Ylianst:master Mar 10, 2024
3 checks passed
wdlut pushed a commit to wdlut/MeshCentral that referenced this pull request Mar 19, 2024
@HuFlungDu @wdlut
Add options for overriding TLS ciphers used (Ylianst#5915)
200b564 
* Add the ability to set TLS cipher suites

Added config option to set the TLS ciphers instead of relying on a hardcoded list of ciphers determined by meshcentral.

* Added option to use default node ciphers

This allows the ciphers used to be set to the recommended ciphers by nodejs, as well as allowing the user to override the ciphers using the "--tls-cipher-list" command line switch for node.

* Updated validArguments array to include "usenodedefaulttlsciphers" and "tlsciphers" as options
@bmeirellesRJ
Copy link

Hello , where do I check the supported ciphers and order? How do I use TLS_CHACHA20_POLY1305_SHA256?

@si458
Copy link
Collaborator

si458 commented Mar 29, 2024

@bmeirellesRJ is this what you are after? defaults below

MeshCentral/webserver.js

Lines 6112 to 6148 in 862e2ee

var ciphers = [
'TLS_AES_256_GCM_SHA384',
'TLS_AES_128_GCM_SHA256',
'TLS_AES_128_CCM_8_SHA256',
'TLS_AES_128_CCM_SHA256',
'TLS_CHACHA20_POLY1305_SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'DHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-CHACHA20-POLY1305', // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
'ECDHE-ARIA128-GCM-SHA256',
'ECDHE-ARIA256-GCM-SHA384',
'ECDHE-RSA-AES128-SHA256', // SSLlabs considers this cipher suite weak, but it's needed for older browers.
'ECDHE-RSA-AES256-SHA384', // SSLlabs considers this cipher suite weak, but it's needed for older browers.
'!aNULL',
'!eNULL',
'!EXPORT',
'!DES',
'!RC4',
'!MD5',
'!PSK',
'!SRP',
'!CAMELLIA'
].join(':');
if (obj.useNodeDefaultTLSCiphers) {
ciphers = require("tls").DEFAULT_CIPHERS;
}
if (obj.tlsCiphers) {
ciphers = obj.tlsCiphers;
if (Array.isArray(obj.tlsCiphers)) {
ciphers = obj.tlsCiphers.join(":");
}
}

to set your own, you set tlsCiphers: ['TLS_CHACHA20_POLY1305_SHA256'] under settings in your config.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@HuFlungDu @si458 @bmeirellesRJ @Ylianst