diff options
author | Roman Reiss <me@silverwind.io> | 2015-02-15 18:43:36 +0100 |
---|---|---|
committer | Fedor Indutny <fedor@indutny.com> | 2015-02-16 12:33:12 +0100 |
commit | 77f35861d0217273b9e478f5d35bd7d8e471e14f (patch) | |
tree | f027b88a1ef22323dd66986f7e89546d2cd8c4f2 /lib/tls.js | |
parent | 20f8e7f17a931e3852f7c58a25db55bd78943697 (diff) | |
download | android-node-v8-77f35861d0217273b9e478f5d35bd7d8e471e14f.tar.gz android-node-v8-77f35861d0217273b9e478f5d35bd7d8e471e14f.tar.bz2 android-node-v8-77f35861d0217273b9e478f5d35bd7d8e471e14f.zip |
tls: more secure defaults
This updates the default cipher suite to an more secure list, which
prefers strong ciphers with Forward Secrecy. Additionally, it enables
`honorCipherOrder` by default.
Noteable effect of this change is that the insecure RC4 ciphers are
disabled and that Chrome negotiates a more secure ECDHE cipher.
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: https://github.com/iojs/io.js/pull/826
Diffstat (limited to 'lib/tls.js')
-rw-r--r-- | lib/tls.js | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/lib/tls.js b/lib/tls.js index 0e13516add..9e1b928ee8 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -13,11 +13,24 @@ exports.CLIENT_RENEG_WINDOW = 600; exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024; -exports.DEFAULT_CIPHERS = - // TLS 1.2 - 'ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + - // TLS 1.0 - 'RC4:HIGH:!MD5:!aNULL'; +exports.DEFAULT_CIPHERS = [ + 'ECDHE-RSA-AES256-SHA384', + 'DHE-RSA-AES256-SHA384', + 'ECDHE-RSA-AES256-SHA256', + 'DHE-RSA-AES256-SHA256', + 'ECDHE-RSA-AES128-SHA256', + 'DHE-RSA-AES128-SHA256', + 'HIGH', + '!aNULL', + '!eNULL', + '!EXPORT', + '!DES', + '!RC4', + '!MD5', + '!PSK', + '!SRP', + '!CAMELLIA' +].join(':'); exports.DEFAULT_ECDH_CURVE = 'prime256v1'; |