Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 60d1a48

Browse filesBrowse files
andreas-ibmtargos
andreas-ibm
authored and
targos
committed
doc: document how to use the tls.DEFAULT_CIPHERS
The DEFAULT_CIPHERS already exists, this change shows how to use it. Fixes: #46462 PR-URL: #46482 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
1 parent 00edc50 commit 60d1a48
Copy full SHA for 60d1a48

File tree

Expand file treeCollapse file tree

1 file changed

+36
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+36
-0
lines changed
Open diff view settings
Collapse file

‎doc/api/tls.md‎

Copy file name to clipboardExpand all lines: doc/api/tls.md
+36Lines changed: 36 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,30 @@ export NODE_OPTIONS=--tls-cipher-list='ECDHE-RSA-AES128-GCM-SHA256:!RC4'
356356
node server.js
357357
```
358358

359+
To verify, use the following command to show the set cipher list, note the
360+
difference between `defaultCoreCipherList` and `defaultCipherList`:
361+
362+
```bash
363+
node --tls-cipher-list='ECDHE-RSA-AES128-GCM-SHA256:!RC4' -p crypto.constants.defaultCipherList | tr ':' '\n'
364+
ECDHE-RSA-AES128-GCM-SHA256
365+
!RC4
366+
```
367+
368+
i.e. the `defaultCoreCipherList` list is set at compilation time and the
369+
`defaultCipherList` is set at runtime.
370+
371+
To modify the default cipher suites from within the runtime, modify the
372+
`tls.DEFAULT_CIPHERS` variable, this must be performed before listening on any
373+
sockets, it will not affect sockets already opened. For example:
374+
375+
```js
376+
// Remove Obsolete CBC Ciphers and RSA Key Exchange based Ciphers as they don't provide Forward Secrecy
377+
tls.DEFAULT_CIPHERS +=
378+
':!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384' +
379+
':!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384' +
380+
':!kRSA';
381+
```
382+
359383
The default can also be replaced on a per client or server basis using the
360384
`ciphers` option from [`tls.createSecureContext()`][], which is also available
361385
in [`tls.createServer()`][], [`tls.connect()`][], and when creating new
@@ -2224,6 +2248,18 @@ added: v11.4.0
22242248
`'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
22252249
used.
22262250

2251+
## `tls.DEFAULT_CIPHERS`
2252+
2253+
<!-- YAML
2254+
added: REPLACEME
2255+
-->
2256+
2257+
* {string} The default value of the `ciphers` option of
2258+
[`tls.createSecureContext()`][]. It can be assigned any of the supported
2259+
OpenSSL ciphers. Defaults to the content of
2260+
`crypto.constants.defaultCoreCipherList`, unless changed using CLI options
2261+
using `--tls-default-ciphers`.
2262+
22272263
[CVE-2021-44531]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
22282264
[Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
22292265
[DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.