From 24c07af34368fc59c3f8b96518ef4f083f7c3b54 Mon Sep 17 00:00:00 2001
From: Tom Kirkpatrick <tom@systemseed.com>
Date: Thu, 15 Mar 2018 12:13:27 +0100
Subject: [PATCH] fix(ssl-handshake): update list of supported cipher suites

Update the list of supported cipher suites to use with openssl to
include those supported by lnd, which are defined as:

tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

See https://github.com/lightningnetwork/lnd/blob/master/lnd.go#L80-L85

We order the suites by priority, based on the recommendations provided
by SSL Labs:

See https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites

Fix #324
---
 app/lnd/lib/lightning.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/app/lnd/lib/lightning.js b/app/lnd/lib/lightning.js
index b6c55b2c..224d7352 100644
--- a/app/lnd/lib/lightning.js
+++ b/app/lnd/lib/lightning.js
@@ -3,6 +3,21 @@ import path from 'path'
 import grpc from 'grpc'
 import config from '../config'
 
+// Default is ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
+// https://github.com/grpc/grpc/blob/master/doc/environment_variables.md
+//
+// Current LND cipher suites here:
+// https://github.com/lightningnetwork/lnd/blob/master/lnd.go#L80
+//
+// We order the suites by priority, based on the recommendations provided by SSL Labs here:
+// https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
+process.env.GRPC_SSL_CIPHER_SUITES = process.env.GRPC_SSL_CIPHER_SUITES || [
+  'ECDHE-ECDSA-AES128-GCM-SHA256',
+  'ECDHE-ECDSA-AES256-GCM-SHA384',
+  'ECDHE-ECDSA-AES128-CBC-SHA256',
+  'ECDHE-ECDSA-CHACHA20-POLY1305'
+].join(':')
+
 const lightning = (rpcpath, host) => {
   const lndCert = fs.readFileSync(config.cert)
   const credentials = grpc.credentials.createSsl(lndCert)