Open icelava opened 9 years ago
+1
Had a peek at the networking code, seems to simply use https.request() object without special options.
Seems like Node.js by default already disables SSL v2/3 ?
I'm trying to determine this as well. From what I gather so far, if you're on 0.10.33, node won't even connect to an SSLv2 or SSLv3 service because they are disable in 0.10.33 due to POODLE. My C++ isn't very good, but upon investigating node_crypto.cc it looks like even in versions of node greater than 0.10.33, the default openssl method is SSLv23_method(). https://github.com/joyent/node/blob/master/src/node_crypto.cc#L321
From this announcement: http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/ we have some description of the behavior:
"The default protocol method Node.js uses is SSLv23_method which would be more accurately named AutoNegotiate_method. This method will try and negotiate from the highest level down to whatever the client supports. To provide a secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3 and SSLv2 by setting the secureOptions to be SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2 (again, unless you have passed --enable-ssl3, or --enable-ssl2, or SSLv3_method as secureProtocol)."
Furthermore, it states:
"If your application is behaving as a secure client and communicating with a server that doesn't support methods more secure than SSLv3 then your connection won't be able to negotiate and will fail. In this case your client will emit a an error event. The error message will include 'wrong version number'."
From what I can tell, this suggests that it will try protocols more secure than SSLv2 and SSLv3 like TLSv1.2, TLSv1.1, etc.
Unfortunately, I haven't been able to find anything in the openssl docs that describes the AutoNegotiate_method
behavior described in the 0.10.33 release notes.
In the openssl docs (https://www.openssl.org/docs/ssl/SSL_CTX_new.html) it actually states that use of SSLv23_method()
is deprecated
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) Use of these functions is deprecated. They have been replaced with TLS_Method(), TLS_server_method() and TLS_client_method() respectively. New code should use those functions instead.
¯\_(ツ)_/¯
What protocol does knox use to make https connections to S3 services?
https://forums.aws.amazon.com/thread.jspa?threadID=176062&start=25&tstart=0