Merge pull request #212 from pro-src/211_ssl_ciphers

Backport TLSv1.3 secure ciphers
codemanki · May 2, 2019 · f6d64b6 · f6d64b6
2 parents 84c0bce + 3443aad
commit f6d64b6
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 2 deletions.
diff --git a/index.js b/index.js
@@ -4,6 +4,7 @@ const requestModule = require('request-promise');
 const sandbox = require('./lib/sandbox');
 const decodeEmails = require('./lib/email-decode.js');
 const getDefaultHeaders = require('./lib/headers');
+const agentOptions = require('./lib/agent-options');
 const brotli = require('./lib/brotli');
 
 const {
@@ -35,7 +36,9 @@ function defaults (params) {
     // Remove Cloudflare's email protection
     decodeEmails: false,
     // Support gzip encoded responses
-    gzip: true
+    gzip: true,
+    // Adds secure TLSv1.3 ciphers when using older openssl versions
+    agentOptions
   };
 
   // Object.assign requires at least nodejs v4, request only test/supports v6+

diff --git a/lib/agent-options.js b/lib/agent-options.js
@@ -0,0 +1,42 @@
+'use strict';
+
+const tls = require('tls');
+
+const ciphers = getCiphers();
+
+if (ciphers !== -1) {
+  module.exports.ciphers = ciphers;
+}
+
+function getCiphers () {
+  // SSL_CTX_set_cipher_list will simply ignore any unsupported ciphers
+  const defaults = [
+    'TLS_AES_128_CCM_8_SHA256',
+    'TLS_AES_128_CCM_SHA256',
+    'TLS_AES_128_GCM_SHA256',
+    'TLS_AES_256_GCM_SHA384',
+    'TLS_CHACHA20_POLY1305_SHA256'
+  ];
+
+  // We already have these defaults if using openssl v1.1.1 and later
+  const v = process.versions.openssl.match(/(\d)+\.(\d+)\.(\d+)/);
+  if (v[1] >= 1 && v[2] >= 1 && v[3] >= 1) {
+    return -1;
+  }
+
+  const suites = tls.getCiphers()
+    .map(function (s) {
+      return s.toUpperCase();
+    });
+
+  let missing = false;
+  // Add the default TLSv1.3 cipher suites if missing
+  for (let i = 0; i < defaults.length; i++) {
+    if (suites.indexOf(defaults[i]) === -1) {
+      missing = true;
+      suites.push(defaults[i]);
+    }
+  }
+
+  return missing ? suites.join(':') : -1;
+}
diff --git a/test/helper.js b/test/helper.js
@@ -7,6 +7,7 @@ var express = require('express');
 
 // Clone the default headers for tests
 var defaultHeaders = Object.assign({}, require('../').defaultParams.headers);
+var agentOptions = require('../lib/agent-options');
 
 // Cache fixtures so they're only read from fs but once
 var cache = {};
@@ -31,7 +32,8 @@ var helper = {
       cloudflareMaxTimeout: 30000,
       challengesToSolve: 3,
       decodeEmails: false,
-      gzip: true
+      gzip: true,
+      agentOptions
     };
   },
   getFixture: function (fileName) {