Ssl – Node.js with SSL/TLS protocol v1.2

node.jsopensslSecurityssltls

I would like to use TLS 1.2 on my node.js server. I'm currently using openssl 1.0.0e.

If I upgrade to openssl 1.0.1, do I need to rebuild node.js to upgrade to TLS 1.2? Are there configuration or build settings to specify which ciphers I want to use?

Also, after upgrading to TLS 1.2 would I need to generate new SSL certificates?

Best Answer

Seems that OpenSSL is fully backward compatible. I've updated OpenSSL till it was only 0.9.3 and hasn't any problems with certificates. OpenSSL has options to build with various crypt schemes, including proprietary/patented, so you can choose what you want.

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Apache – How to Disable TLS 1.1 & 1.2 in Apache

Intrigued by this bug (and yes, I've been able to reproduce it) I've taken a look at the source code for the latest stable version of mod_ssl and found an explanation. Bear with me, this is gonna get amateur-stack-overflowish:

When the SSLProtocol has been parsed, it results in a char looking something like this:

0 1 0 0
^ ^ ^ ^
| | | SSLv1
| | SSLv2
| SSLv3
TLSv1

Upon initiating a new server context, ALL available protocols will be enabled, and the above char is inspected using some nifty bitwise AND operations to determine what protocols should be disabled. In this case, where SSLv3 is the only protocol to have been explicitly enabled, the 3 others will be disabled.

OpenSSL supports a protocol setting for TLSv1.1, but since the SSLProtocol does not account for this options, it never gets disabled. OpenSSL v1.0.1 has some known issues with TLSv1.2 but if it's supported I suppose the same goes for that as for TLSv1.1; it's not recognized/handled by mod_ssl and thus never disabled.

Source Code References for mod_ssl:

SSLProtocol gets parsed at line 925 in pkg.sslmod/ssl_engine_config.c
The options used in the above function is defined at line 444 in pkg.sslmod/mod_ssl.h
All protocols gets enabled at line 586 in pkg.sslmod/ssl_engine_init.c whereafter specific protocols gets disabled on the subsequent lines

How to disable it then?

You have a few options:

Disable it in the OpenSSL config file with:
Protocols All,-TLSv1.1,-TLSv1.2
Rewrite mod_ssl ;-)