update secureOptions parameter for https server

[inkz]

Hello,

I’m a security researcher at [r2c](https://r2c.dev (https://r2c.dev/)). We work with industry experts to write code checks for bugs in open source.

Problem: I found that the https server don't disallow TLS v1 as it intended to do https://github.com/alibaba/anyproxy/blob/b93f948107b956e07c7b68faeff0c777a1f50486/lib/httpsServerMgr.js#L71 https://github.com/alibaba/anyproxy/blob/b93f948107b956e07c7b68faeff0c777a1f50486/lib/httpsServerMgr.js#L85

TLS v1 is deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.

Fix: This is happens because TLS stack (OpenSSL) requires that the options are combined with bitwise OR while logical OR is used

// this is how it should be
secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1

// this is how it is used now
secureOptions: constants.SSL_OP_NO_SSLv3 || constants.SSL_OP_NO_TLSv1

in this case only constants.SSL_OP_NO_SSLv3 is passed to secureOptions allowing connections with TLS v1

https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs

We have a tool called [Semgrep](https://semgrep.dev (https://semgrep.dev/)) you can use for your project that continuously detects problems like this one. Semgrep is also available as a GitHub Action to make it easy to set up. The check that identified this bug is available in Semgrep by using https://semgrep.dev/p/colleend.insecure-transport-nodejs

Thanks, and I hope this helps! Let me know if you have any questions.

[CLAassistant]

All committers have signed the CLA.