6

How can I block TLS 1.0 and TLS 1.1 on my Node.js Express server? I'm using a traditional server setup script:

const app = express();
export const server = app.listen(3000);

I'm slightly confused why I couldn't find any documentation on this.

John Kugelman
  • 349,597
  • 67
  • 533
  • 578
ForgetfulFellow
  • 2,477
  • 2
  • 22
  • 33

2 Answers2

6

Usually you will be running your Express server behind something else, like an Nginx proxy, an AWS Load Balancer, or some other piece of software or hardware that terminates TLS. In your example, you're not listening over HTTPS at all, you're listening for HTTP connections on port 3000. The configuration would usually be done outside of your Node app, but if you do want to do it in your Node app, it would be like this:

const express = require('express')
const https = require('https')
const fs = require('fs')
const { options } = require('crypto')
const app = express()

const opts = {
  key: fs.readFileSync('/path/to/key.pem'),
  cert: fs.readFileSync('/path/to/chain.pem'),
  secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
}

// other app logic

// Or 443 if you run it as root, which is not recommended;
// instead you should proxy to it.
https.createServer(opts, app).listen(3443)
Zac Anger
  • 6,983
  • 2
  • 15
  • 42
  • Thanks @Zac! Do you have any documentation pointing to how it's preferable to block lower TLS versions through our load balancer vs. directly on our node app? – ForgetfulFellow Jan 10 '21 at 03:51
  • 1
    This depends on your environment and if you have compliance needs, but here are some related questions on stackoverflow: https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer https://stackoverflow.com/questions/42027582/application-load-balancer-elbv2-ssl-pass-through https://stackoverflow.com/questions/39492117/where-to-terminate-ssl-tls-in-node-nginx. But of course if you're running a small or low traffic app and don't want to deal with a load balancer or reverse proxy, Node can totally do it, It's just not ideal for prod workloads. – Zac Anger Jan 10 '21 at 15:26
  • Awesome, this is very helpful! Thanks @Zac – ForgetfulFellow Jan 11 '21 at 22:55
  • You are trying to modify `const option` and it throws compile time error. I believe there is a typo, could you please correct this. – Aditya Acharya Dec 06 '21 at 12:08
1

ex.

const https = require("https");
const https_options = {
  pfx: fs.readFileSync(path.join(__dirname, "../ssl/cert.pfx")), 
  passphrase: "password",
  minVersion: "TLSv1.2"
}

server = https.createServer(https_options, app);

minVersion is the easiest way to accomplish this as mentioned here: https://stackoverflow.com/a/62051684/4487632

Bill Christo
  • 1,223
  • 9
  • 8