update secureOptions parameter for https server#570
Open
inkz wants to merge 1 commit intoalibaba:masterfrom
Open
update secureOptions parameter for https server#570inkz wants to merge 1 commit intoalibaba:masterfrom
inkz wants to merge 1 commit intoalibaba:masterfrom
Conversation
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello,
I’m a security researcher at r2c. We work with industry experts to write code checks for bugs in open source.
Problem:
I found that the https server don't disallow TLS v1 as it intended to do
anyproxy/lib/httpsServerMgr.js
Line 71 in b93f948
anyproxy/lib/httpsServerMgr.js
Line 85 in b93f948
TLS v1is deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.Fix:
This is happens because TLS stack (OpenSSL) requires that the options are combined with bitwise OR while logical OR is used
in this case only
constants.SSL_OP_NO_SSLv3is passed tosecureOptionsallowing connections with TLS v1https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs
We have a tool called Semgrep you can use for your project that continuously detects problems like this one. Semgrep is also available as a GitHub Action to make it easy to set up. The check that identified this bug is available in Semgrep by using https://semgrep.dev/p/colleend.insecure-transport-nodejs
Thanks, and I hope this helps! Let me know if you have any questions.