tls: update default ciphers to use gcm and aes128

AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of Chrome to avoid an 'obsolete cryptography' warning. Prefer 128 bit AES over 192 and 256 bit AES considering attacks that specifically affect the larger key sizes but do not affect AES 128. PR-URL: https://github.com/iojs/io.js/pull/1660 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: Roman Reiss <me@silverwind.io>
10 years ago · 5755fc099f
2 changed files with 40 additions and 10 deletions
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@ -141,14 +141,37 @@ automatically set as a listener for the [secureConnection][] event.  The
  - `ciphers`: A string describing the ciphers to use or exclude, seperated by
    `:`. The default cipher suite is:
-        ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:
+        ECDHE-RSA-AES128-GCM-SHA256:
-        DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:
+        ECDHE-ECDSA-AES128-GCM-SHA256:
-        HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA
+        ECDHE-RSA-AES256-GCM-SHA384:
-
+        ECDHE-ECDSA-AES256-GCM-SHA384:
-    The default cipher suite prefers ECDHE and DHE ciphers for Perfect Forward
+        DHE-RSA-AES128-GCM-SHA256:
-    secrecy, while offering *some* backward compatibiltity. Old clients which
+        ECDHE-RSA-AES128-SHA256:
-    rely on insecure and deprecated RC4 or DES-based ciphers (like Internet
+        DHE-RSA-AES128-SHA256:
-    Explorer 6) aren't able to complete the handshake with the default
+        ECDHE-RSA-AES256-SHA384:
        DHE-RSA-AES256-SHA384:
        ECDHE-RSA-AES256-SHA256:
        DHE-RSA-AES256-SHA256:
        HIGH:
        !aNULL:
        !eNULL:
        !EXPORT:
        !DES:
        !RC4:
        !MD5:
        !PSK:
        !SRP:
        !CAMELLIA
    The default cipher suite prefers GCM ciphers for [Chrome's 'modern
    cryptography' setting] and also prefers ECDHE and DHE ciphers for Perfect
    Forward secrecy, while offering *some* backward compatibiltity.
    128 bit AES is preferred over 192 and 256 bit AES in light of [specific
    attacks affecting larger AES key sizes].
    Old clients that rely on insecure and deprecated RC4 or DES-based ciphers
    (like Internet Explorer 6) aren't able to complete the handshake with the default
    configuration. If you absolutely must support these clients, the
    [TLS recommendations] may offer a compatible cipher suite. For more details
    on the format, see the [OpenSSL cipher list format documentation].
@ -784,6 +807,8 @@ The string representation of the local IP address.
 The numeric representation of the local port.
 [OpenSSL cipher list format documentation]: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
 [Chrome's 'modern cryptography' setting]: http://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome
 [specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
 [BEAST attacks]: http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
 [tls.createServer]: #tls_tls_createserver_options_secureconnectionlistener
 [tls.createSecurePair]: #tls_tls_createsecurepair_context_isserver_requestcert_rejectunauthorized
--- a/lib/tls.js
+++ b/lib/tls.js
@ -15,12 +15,17 @@ exports.CLIENT_RENEG_WINDOW = 600;
 exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;
 exports.DEFAULT_CIPHERS = [
  'ECDHE-RSA-AES128-GCM-SHA256',
  'ECDHE-ECDSA-AES128-GCM-SHA256',
  'ECDHE-RSA-AES256-GCM-SHA384',
  'ECDHE-ECDSA-AES256-GCM-SHA384',
  'DHE-RSA-AES128-GCM-SHA256',
  'ECDHE-RSA-AES128-SHA256',
  'DHE-RSA-AES128-SHA256',
  'ECDHE-RSA-AES256-SHA384',
  'DHE-RSA-AES256-SHA384',
  'ECDHE-RSA-AES256-SHA256',
  'DHE-RSA-AES256-SHA256',
  'ECDHE-RSA-AES128-SHA256',
  'DHE-RSA-AES128-SHA256',
  'HIGH',
  '!aNULL',
  '!eNULL',