Open thernstig opened 2 years ago
I suspect this is either fixed by https://github.com/nodejs/node/pull/41864 (yet to be released) or a documentation bug. cc @nodejs/crypto
As stated in the documentation, tls.getCiphers()
returns the list of supported ciphers. But not all supported ciphers are enabled by default:
By default, the TLS 1.3 CCM
ciphers are disabled (look at crypto.constants.defaultCoreCipherList
). But they are supported, so you can manually enable them.
@tniessen, thanks, that does make a bit more sense. I am thinking documentation could be more clear here, as it might not be immediately obvious. The key term supported
is easy to misinterpret. To remedy this, I would recommend to add to tls.getCiphers()
some note stating that something like
Note that this is not the same as the enabled cipher suites. Enabled cipher suites are just a subset of the supported cipher suites.
In addition, crypto also has the constant crypto.constants.defaultCipherList
, which shows the list of cipher suites configured (enabled/disabled etc.) following the format of openssl ciphers. This is not mentioned anywhere on https://nodejs.org/api/tls.html, but it is a good constant to know about. Should that be mentioned somewhere as well under Modifying the default TLS cipher suite?
Last but not least, would it make sense to extend tls.getCiphers()
to allow for a parameter that could get the ciphers that ones is after in a more standarized way. For example I might change the --tls-cipher-list
and then call tls.getCiphers(enabled)
to only get enabled ciphers. In this case it works to use crypto.constants.defaultCipherList
, but having parameters to getCiphers()
could also add possibilities like if I use --tls-min-v1.3
there could be a parameter enum to only display the ones used by default. Maybe this would all become to unwieldy complex, but it's just a suggestion.
Current
Node.js is built with a default suite of enabled and disabled TLS ciphers
Proposal
Node.js is built with a default list of enabled and disabled TLS cipher suites
Reasoning
Each string like TLS_AES_256_GCM_SHA384
is a cipher suite in itself. So what is presented is a list of cipher suites.
Rename heading Modifying the default TLS cipher suite
to Modifying the default TLS cipher suites
. It is plural after all.
How do I know which suites are enabled in the Node.js version I am using? For example, the default set of enabled cipher suites is mentioned to be:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA256
HIGH
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!SRP
!CAMELLIA
If I execute this on openssl
(OpenSSL 1.1.1f 31 Mar 2020) on my machine I get:
> openssl ciphers -v "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA"
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIAGCM(128) Mac=AEAD
DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(128) Mac=AEAD
DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD
AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD
ARIA256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD
AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD
ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
The reason for this is the HIGH
that the default cipher suites list includes.
But is there any way to view this in Node.js like this, i.e. the full suite of enabled ones? My suggestion above about tls.getCiphers()
might remedy this. But is there any way to get this list already now?
I am thinking documentation could be more clear here, as it might not be immediately obvious. The key term
supported
is easy to misinterpret. To remedy this, I would recommend to add totls.getCiphers()
some note
I had the same thought yesterday and opened https://github.com/nodejs/node/pull/42063 :) I'll look at additional documentation improvements later.
How do I know which suites are enabled in the Node.js version I am using?
There is currently no way to expand the configured list into a list of all the cipher suites. If you need a specific list of cipher suites, you can configure it directly. The format is, unfortunately, specific to OpenSSL. Luckily, with the transition to TLS 1.3 that explicitly lists the few enabled cipher suites, this should not be an issue in the future.
Great if you can look at the rest of the doc suggestions :)
There is currently no way to expand the configured list into a list of all the cipher suites.
But there could be, if an API change was made to tls.getCiphers()
to accept parameters?
What makes this even more confusing (in regards to enabled vs. disabled) is the output of these:
/*
* Output from tls.getCiphers()
*/
[
'aes128-gcm-sha256',
'aes128-sha',
'aes128-sha256',
'aes256-gcm-sha384',
'aes256-sha',
'aes256-sha256',
'dhe-psk-aes128-cbc-sha',
'dhe-psk-aes128-cbc-sha256',
'dhe-psk-aes128-gcm-sha256',
'dhe-psk-aes256-cbc-sha',
'dhe-psk-aes256-cbc-sha384',
'dhe-psk-aes256-gcm-sha384',
'dhe-psk-chacha20-poly1305',
'dhe-rsa-aes128-gcm-sha256',
'dhe-rsa-aes128-sha',
'dhe-rsa-aes128-sha256',
'dhe-rsa-aes256-gcm-sha384',
'dhe-rsa-aes256-sha',
'dhe-rsa-aes256-sha256',
'dhe-rsa-chacha20-poly1305',
'ecdhe-ecdsa-aes128-gcm-sha256',
'ecdhe-ecdsa-aes128-sha',
'ecdhe-ecdsa-aes128-sha256',
'ecdhe-ecdsa-aes256-gcm-sha384',
'ecdhe-ecdsa-aes256-sha',
'ecdhe-ecdsa-aes256-sha384',
'ecdhe-ecdsa-chacha20-poly1305',
'ecdhe-psk-aes128-cbc-sha',
'ecdhe-psk-aes128-cbc-sha256',
'ecdhe-psk-aes256-cbc-sha',
'ecdhe-psk-aes256-cbc-sha384',
'ecdhe-psk-chacha20-poly1305',
'ecdhe-rsa-aes128-gcm-sha256',
'ecdhe-rsa-aes128-sha',
'ecdhe-rsa-aes128-sha256',
'ecdhe-rsa-aes256-gcm-sha384',
'ecdhe-rsa-aes256-sha',
'ecdhe-rsa-aes256-sha384',
'ecdhe-rsa-chacha20-poly1305',
'psk-aes128-cbc-sha',
'psk-aes128-cbc-sha256',
'psk-aes128-gcm-sha256',
'psk-aes256-cbc-sha',
'psk-aes256-cbc-sha384',
'psk-aes256-gcm-sha384',
'psk-chacha20-poly1305',
'rsa-psk-aes128-cbc-sha',
'rsa-psk-aes128-cbc-sha256',
'rsa-psk-aes128-gcm-sha256',
'rsa-psk-aes256-cbc-sha',
'rsa-psk-aes256-cbc-sha384',
'rsa-psk-aes256-gcm-sha384',
'rsa-psk-chacha20-poly1305',
'srp-aes-128-cbc-sha',
'srp-aes-256-cbc-sha',
'srp-rsa-aes-128-cbc-sha',
'srp-rsa-aes-256-cbc-sha',
'tls_aes_128_ccm_8_sha256',
'tls_aes_128_ccm_sha256',
'tls_aes_128_gcm_sha256',
'tls_aes_256_gcm_sha384',
'tls_chacha20_poly1305_sha256'
]
/*
* Output from openssl (OpenSSL 1.1.1f 31 Mar 2020) on my machine:
* openssl ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA" | tr ':' '\n'
* (lowercased and sorted alphabetically)
*/
[
'aes128-ccm',
'aes128-ccm8',
'aes128-gcm-sha256',
'aes128-sha',
'aes128-sha256',
'aes256-ccm',
'aes256-ccm8',
'aes256-gcm-sha384',
'aes256-sha',
'aes256-sha256',
'aria128-gcm-sha256',
'aria256-gcm-sha384',
'dhe-dss-aes128-gcm-sha256',
'dhe-dss-aes128-sha',
'dhe-dss-aes128-sha256',
'dhe-dss-aes256-gcm-sha384',
'dhe-dss-aes256-sha',
'dhe-dss-aes256-sha256',
'dhe-dss-aria128-gcm-sha256',
'dhe-dss-aria256-gcm-sha384',
'dhe-rsa-aes128-ccm',
'dhe-rsa-aes128-ccm8',
'dhe-rsa-aes128-gcm-sha256',
'dhe-rsa-aes128-sha',
'dhe-rsa-aes128-sha256',
'dhe-rsa-aes256-ccm',
'dhe-rsa-aes256-ccm8',
'dhe-rsa-aes256-gcm-sha384',
'dhe-rsa-aes256-sha',
'dhe-rsa-aes256-sha256',
'dhe-rsa-aria128-gcm-sha256',
'dhe-rsa-aria256-gcm-sha384',
'dhe-rsa-chacha20-poly1305',
'ecdhe-aria128-gcm-sha256',
'ecdhe-aria256-gcm-sha384',
'ecdhe-ecdsa-aes128-ccm',
'ecdhe-ecdsa-aes128-ccm8',
'ecdhe-ecdsa-aes128-gcm-sha256',
'ecdhe-ecdsa-aes128-sha',
'ecdhe-ecdsa-aes128-sha256',
'ecdhe-ecdsa-aes256-ccm',
'ecdhe-ecdsa-aes256-ccm8',
'ecdhe-ecdsa-aes256-gcm-sha384',
'ecdhe-ecdsa-aes256-sha',
'ecdhe-ecdsa-aes256-sha384',
'ecdhe-ecdsa-aria128-gcm-sha256',
'ecdhe-ecdsa-aria256-gcm-sha384',
'ecdhe-ecdsa-chacha20-poly1305',
'ecdhe-rsa-aes128-gcm-sha256',
'ecdhe-rsa-aes128-sha',
'ecdhe-rsa-aes128-sha256',
'ecdhe-rsa-aes256-gcm-sha384',
'ecdhe-rsa-aes256-sha',
'ecdhe-rsa-aes256-sha384',
'ecdhe-rsa-chacha20-poly1305',
'tls_aes_128_gcm_sha256',
'tls_aes_256_gcm_sha384',
'tls_chacha20_poly1305_sha256',
];
There is a large difference between these. Mind you, this is partly due to the openssl version I am using when viewing this, but since there is no way to show the full list of what HIGH
means in the context of the openssl lib Node.js was built with, I cannot know what will be allowed with my server.
This is important for some projects, as they need export control to show the available TLS cipher suites used.
Is there absolutely no way for me to know this then from the Node.js version I am using, with any of the built-in commands?
To be more clear, the last post I made shows me that there are supported suites (via tls.getciphers()
) that do not even exist in the cipher suite list I get from my openssl ciphers
command with the enabled suites in Node.js. This is... weird. How can suites be supported, but not exist in the enabled suites?
(Could be due to different openssl lib versions, but the difference is rather big)
Thanks
There is a large difference between these.
The two lists you posted are identical. Maybe I'm misunderstanding. Could you clarify this please?
@tniessen I had copy & pasted the wrong content into one of the examples. Updated now. Thanks for notifying me.
I also wrote https://github.com/nodejs/node/issues/42077 in regards to additions to tls.getCiphers()
.
To be more clear, the last post I made shows me that there are supported suites (via
tls.getciphers()
) that do not even exist in the cipher suite list I get from myopenssl ciphers
command with the enabled suites in Node.js. This is... weird. How can suites be supported, but not exist in the enabled suites?
Because Node.js intentionally disables some supported cipher suites by default. For example, the two TLSv1.3 CCM cipher suites are both supported and disabled by default:
Your browser might be doing the same thing (depending on the hardware), at least mine does.
This issue is for TLSv1.3 ciphers, but anyways. I noticed that current Node.js default cipher suite list contains these two ciphers: ECDHE-RSA-AES256-SHA256
and DHE-RSA-AES256-SHA384
Which ARE NOT in the supported ciphers list through tls.getCiphers()
is this a documentation bug? Implementation bug? Or are those two ciphers added into the list for the future?
Default cipher suite documentation states that The default cipher suite included within Node.js has been carefully selected to reflect current security best practices and risk mitigation.
if those are carefully selected then there should be reason why those two ciphers are added.
Affected URL(s)
https://nodejs.org/api/tls.html
Description of the problem
The page states:
https://github.com/nodejs/node/blob/53364a2ec61594ced5b56da804554a2acc09673a/doc/api/tls.md?plain=1#L360-L370
However executing
tls.getCiphers()
shows:Notice how
tls_aes_128_ccm_sha256
andtls_aes_128_ccm_8_sha256
is part of that list.How can it then be true that the first example states they are not enabled?