103 lines
2.2 KiB
Plaintext
103 lines
2.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
``++secureProtocol++``, ``++minVersion++``/``++maxVersion++`` and ``++secureOptions++`` should not be set to use weak TLS protocols (TLSv1.1 and lower):
|
|
|
|
----
|
|
let options = {
|
|
secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
|
|
};
|
|
|
|
let options = {
|
|
minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure
|
|
maxVersion: 'TLSv1.2'
|
|
};
|
|
|
|
let options = {
|
|
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
|
|
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
|
|
----
|
|
|
|
https://nodejs.org/api/https.html[https] built-in module:
|
|
|
|
----
|
|
let req = https.request(options, (res) => {
|
|
res.on('data', (d) => {
|
|
process.stdout.write(d);
|
|
});
|
|
}); // Noncompliant
|
|
----
|
|
|
|
https://nodejs.org/api/tls.html[tls] built-in module:
|
|
|
|
----
|
|
let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant
|
|
----
|
|
|
|
https://www.npmjs.com/package/request[request] module:
|
|
|
|
----
|
|
let socket = request.get(options);
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Set either ``++secureProtocol++`` or ``++secureOptions++`` or ``++minVersion++`` to use secure protocols only (TLSv1.2 and higher):
|
|
|
|
----
|
|
let options = {
|
|
secureProtocol: 'TLSv1_2_method'
|
|
};
|
|
// or
|
|
let options = {
|
|
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
|
|
};
|
|
// or
|
|
let options = {
|
|
minVersion: 'TLSv1.2'
|
|
};
|
|
----
|
|
|
|
https://nodejs.org/api/https.html[https] built-in module:
|
|
|
|
----
|
|
let req = https.request(options, (res) => {
|
|
res.on('data', (d) => {
|
|
process.stdout.write(d);
|
|
});
|
|
}); // Compliant
|
|
----
|
|
|
|
|
|
https://nodejs.org/api/tls.html[tls] built-in module:
|
|
|
|
----
|
|
let socket = tls.connect(443, "www.example.com", options, () => { });
|
|
----
|
|
|
|
https://www.npmjs.com/package/request[request] module:
|
|
|
|
----
|
|
let socket = request.get(options);
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|