Backport TLSv1.3 secure ciphers #212
Conversation
|
I've ran some feature tests on 155 different versions of node: https://github.com/pro-src/node-ciphers-ci-test Due to the complicated nature of this problem, I can't say for certain that this is a guaranteed fix but it should at least mitigate some of the problems that users have been experiencing. Also, I'm thinking that Cloudflare is likely to update their SSL related checks so we'll need to keep an eye on this. |
|
Merging and releasing |
|
@pro-src it is ready to be merged, right? |
|
Yeah, it is ready to be merged. TLSv1.3 is TLS done right. We're only backporting a few very secure openssl options to avoid triggering a CAPTCHA. At worst, it does nothing since openssl will simply ignore any unsupported ciphers. At best, it completely solves the problem by changing the defaults to more closely match the defaults of current openssl versions. Node will call this openssl function to set the ciphers: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html
Simply put, we're using a cipher list control string that includes the already existing defaults, plus a few additions if the openssl version is outdated. I tested a 155 versions of node between v6 and the latest v12. I found that there is generally only 4 unique default cipher suite lists. Every version of the list is a subset of the most recent list and several cipher suites are present in all 4 lists. Thus, we can conclude that it is not the inclusion of the default ciphers that are causing the problem. It is the absence of expected ciphers and/or other attributes of the SSL negotiation. The chief difference in the lists being that some of the TLSv1.3 options present in recent versions of node are not present in versions of node that were compiled with It still remains to be seen if this completely solves the problem since there are other variables in the TLS |
|
Released as |
ghost
deleted the
Fixes #211