From 74979c31609beab1870373e6aeba7cfb0697d725 Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Mon, 24 Aug 2015 16:08:54 +0200 Subject: [PATCH 1/4] [fix] Adding more sane HTTPS configuration to protect against POODLE by default. --- index.js | 66 ++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 45 insertions(+), 21 deletions(-) diff --git a/index.js b/index.js index 91d0c5f..5be252a 100644 --- a/index.js +++ b/index.js @@ -24,29 +24,19 @@ function is(obj) { * @returns {Server} The created server. */ function create(server, fn) { - var options; + var type = is(server) + , options; - switch (is(server)) { - case 'object': - options = server; - break; - - case 'number': - options = { port: server }; - break; - - default: - options = {}; - break; - } + if ('object' === type) options = server; + else if ('number' === type) options = { port: server }; + else options = {}; fn = create.fns(fn || options); var port = options.port || 443 // Force HTTPS by default. , certs = options.key && options.cert // Check HTTPS certs. - , secure = certs || 443 === port // Check for true HTTPS - , spdy = 'spdy' in options // Or are we spdy - , type; + , secure = certs || 443 === port // Check for true HTTPS. + , spdy = 'spdy' in options; // Or are we spdy. // // Determine which type of server we need to create. @@ -83,12 +73,46 @@ function create(server, fn) { }); } - if ('http' === type) { - server = require('http').createServer(); - } else { - server = require(type).createServer(options); + // + // Provide additional protection for HTTPS server by supplying a safer cypher + // set and prevent POODLE attacks on the servers. + // + if (secure) { + // + // Protection against POODLE attacks. + // + options.secureProtocol = options.secureProtocol || 'SSLv23_method'; + options.secureOptions = options.secureOptions || require('constants').SSL_OP_NO_SSLv3; + + // + // Optimized cipher list. + // + options.ciphers = options.ciphers || [ + 'ECDHE-RSA-AES256-SHA384', + 'DHE-RSA-AES256-SHA384', + 'ECDHE-RSA-AES256-SHA256', + 'DHE-RSA-AES256-SHA256', + 'ECDHE-RSA-AES128-SHA256', + 'DHE-RSA-AES128-SHA256', + 'HIGH', + '!aNULL', + '!eNULL', + '!EXPORT', + '!DES', + '!RC4', + '!MD5', + '!PSK', + '!SRP', + '!CAMELLIA' + ].join(':'); } + // + // Create the correct server instance and pass in the options object for those + // who require it (spoiler: all non http servers). + // + server = require(type).createServer('http' !== type && options); + // // Setup an addition redirect server which redirects people to the correct // HTTP or HTTPS server. From 5500726cbc70f6cd0e185dd3c5a47d064d544766 Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Mon, 24 Aug 2015 16:12:27 +0200 Subject: [PATCH 2/4] [deps] Bump dependencies to latest version --- package.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 6d50db6..b410de8 100644 --- a/package.json +++ b/package.json @@ -32,11 +32,11 @@ "connected": "0.0.x" }, "devDependencies": { - "assume": "1.1.x", + "assume": "1.2.x", "istanbul": "0.3.x", - "mocha": "2.1.x", - "pre-commit": "1.0.x", - "request": "2.53.x", - "spdy": "1.31.x" + "mocha": "2.2.x", + "pre-commit": "1.1.x", + "request": "2.61.x", + "spdy": "2.0.x" } } From 96a45c1d21778162f37bf8bbb1a47bae3d53ee7d Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Mon, 24 Aug 2015 16:16:43 +0200 Subject: [PATCH 3/4] [doc] Document our new, default SSL options. --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 554c2c5..9436ecc 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,12 @@ The following properties can be provided as callback object: - **http**: A new HTTP server has been created. - **spdy**: A new SPDY server has been created. +When creating a secure server, we will do our best to provide sane defaults that +will protect your server against known secure server attacks such as POODLE, we +also update the cipher list to prevent attacks such as heart bleed. This can be +overridden by supplying your own `cypher`, `secureProtocol` and `secureOptions` +keys as option. + ## License MIT From 1c81494516a712e66a6e2cd84976366dd862015a Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Mon, 24 Aug 2015 16:19:25 +0200 Subject: [PATCH 4/4] [travis] Include the various of iojs releases we want to test against --- .travis.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index da06733..90a9631 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,9 +1,11 @@ language: node_js node_js: - - "0.8" - - "0.10" + - "iojs-v3" + - "iojs-v2" + - "iojs-v1" - "0.12" - - "iojs" + - "0.10" + - "0.8" before_install: - 'if [ "${TRAVIS_NODE_VERSION}" == "0.8" ] ; then npm install -g npm@2.7.0; fi' script: