honorCipherOrder should be supported for SNI TLS/SSL connections #7249
Comments
Indeed, this is a bug. Confirming. |
Add `honorCipherOrder` argument to `crypto.createCredentials`. fix nodejs#7249
Not exactly what I was initially think about, but anyway a fix: #7255 |
Does it really fix it? It does not for me. In my gist I tried to do |
You forgot to add |
Anyway, I think that my PR has some value. I'm open for discussion of setting |
I do not have any opinion on setting |
I agree with you, but it could be used for different purposes and it is a public method, I'm afraid we can't change it's behavior in v0.10 . I'll open a PR for v0.11 shortly. |
Move `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE` from `tls` module into the `crypto` module. Make `crypto.createCredentials` use default values. fix nodejs#7249
Proposed changes are in #7265 |
Add `honorCipherOrder` argument to `crypto.createCredentials`. fix #7249
Test is here:
https://gist.github.com/RushPL/9376770
Below test for primary domain is correct:
Below test for secondary (SNI resolved) domain is not correct as the cipher should be the same as in the above test:
Forcing server's cipher order is necessary to implement forwarding secrecy https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
This forbids NSA or other third parties to listen on connections even if the private keys are compromised. Special key exchange happens on negotiation.
I have tried to workaround lack of
honorCipherOrder
option by manually passing the constant to theCredentials
constructor but it fails for some reason. Please advise.The text was updated successfully, but these errors were encountered: