Skip to content

Commit 60d1a48

Browse files
andreas-ibmtargos
andreas-ibm
authored and
targos
committed
doc: document how to use the tls.DEFAULT_CIPHERS
The DEFAULT_CIPHERS already exists, this change shows how to use it. Fixes: #46462 PR-URL: #46482 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
1 parent 00edc50 commit 60d1a48

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

doc/api/tls.md

+36
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,30 @@ export NODE_OPTIONS=--tls-cipher-list='ECDHE-RSA-AES128-GCM-SHA256:!RC4'
356356
node server.js
357357
```
358358

359+
To verify, use the following command to show the set cipher list, note the
360+
difference between `defaultCoreCipherList` and `defaultCipherList`:
361+
362+
```bash
363+
node --tls-cipher-list='ECDHE-RSA-AES128-GCM-SHA256:!RC4' -p crypto.constants.defaultCipherList | tr ':' '\n'
364+
ECDHE-RSA-AES128-GCM-SHA256
365+
!RC4
366+
```
367+
368+
i.e. the `defaultCoreCipherList` list is set at compilation time and the
369+
`defaultCipherList` is set at runtime.
370+
371+
To modify the default cipher suites from within the runtime, modify the
372+
`tls.DEFAULT_CIPHERS` variable, this must be performed before listening on any
373+
sockets, it will not affect sockets already opened. For example:
374+
375+
```js
376+
// Remove Obsolete CBC Ciphers and RSA Key Exchange based Ciphers as they don't provide Forward Secrecy
377+
tls.DEFAULT_CIPHERS +=
378+
':!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384' +
379+
':!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384' +
380+
':!kRSA';
381+
```
382+
359383
The default can also be replaced on a per client or server basis using the
360384
`ciphers` option from [`tls.createSecureContext()`][], which is also available
361385
in [`tls.createServer()`][], [`tls.connect()`][], and when creating new
@@ -2224,6 +2248,18 @@ added: v11.4.0
22242248
`'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
22252249
used.
22262250

2251+
## `tls.DEFAULT_CIPHERS`
2252+
2253+
<!-- YAML
2254+
added: REPLACEME
2255+
-->
2256+
2257+
* {string} The default value of the `ciphers` option of
2258+
[`tls.createSecureContext()`][]. It can be assigned any of the supported
2259+
OpenSSL ciphers. Defaults to the content of
2260+
`crypto.constants.defaultCoreCipherList`, unless changed using CLI options
2261+
using `--tls-default-ciphers`.
2262+
22272263
[CVE-2021-44531]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
22282264
[Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
22292265
[DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

0 commit comments

Comments
 (0)