NodeJS TLS Stuff

[joshxyzhimself]

Hi, love this project it's solid 💯 💯

Has anyone played with the uws equivalent of following, or got thoughts on them?

• NodeJS honorCipherOrder
• NodeJS ecdhCurve
• NodeJS secureOptions crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE
• NodeJS secureOptions crypto.constants.SSL_OP_PRIORITIZE_CHACHA
• NodeJS secureOptions crypto.constants.SSL_OP_NO_TLSv1_2 (forces tlsv1.3)
• NodeJS SSL Reload
• Use of ECH (Encrypted Client Hello) in the future?

Example usage in NodeJS is the following

const https_server_options = {
  key,
  cert,
  ca,
  minVersion: tls_min_version,
  maxVersion: 'TLSv1.3',
  ecdhCurve: 'auto',
  honorCipherOrder: true,
  secureOptions: crypto.constants.SSL_OP_NO_TICKET
    | crypto.constants.SSL_OP_NO_SSLv2
    | crypto.constants.SSL_OP_NO_SSLv3
    | crypto.constants.SSL_OP_NO_TLSv1
    | crypto.constants.SSL_OP_NO_TLSv1_1
    | crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE
    | crypto.constants.SSL_OP_PRIORITIZE_CHACHA,
};
if (tls_min_version === 'TLSv1.3') {
  https_server_options.secureOptions |= crypto.constants.SSL_OP_NO_TLSv1_2;
}
if (dhparam !== undefined) {
  https_server_options.dhparam = dhparam;
}
const https_server = https.createServer(https_server_options, some_request_listener);

References

• https://nodejs.org/api/tls.html#tls_server_setsecurecontext_options (SSL Reload)
• https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options (honorCipherOrder, ecdhCurve, secureOptions, etc)
• https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello (ECH)
• Support Encrypted Client Hello (formerly known as ESNI) openssl/openssl#7482 (ECH)

[ghost]

We do expose SSL_CTX pointers to the user to make specialized options like those, but for Node.js that's of course not possible. If you have an SSL option you need, and have economic incentive to make it happen -> go for it.

[joshxyzhimself]

Hi @alexhultman-2fa, noted on that, thanks a lot!

Also, is there a way to detect if the current request is a secure one? Something like req.socket.encrypted in node's http internal library?

• NodeJS [http.IncomingMessage].socket.encrypted (Boolean, true if within tls secure context)

Reference

• https://nodejs.org/api/http.html#http_message_socket
• https://nodejs.org/api/tls.html#tls_tlssocket_encrypted

[hst-m]

I would not want to mess up my function signature because it is unnecessary for each individual function call to add app create_handler(app, async (response, request) => { you should just add the encrypted (or stage vs production) variable into the context of the create_handler function so it is accessible, however you are defining the function

[ghost]

Isn't the class name different for SSL vs non-SSL?

[hst-m]

yes looks like you can check app.constructor.name and it will equal 'uWS.SSLApp' or 'uWS.App' so you don't need to set anything extra, or can use your own variable for stage vs production etc

[ghost]

So isn't this usable with instanceof? Sounds like a typical dynamic dispatch in OO. Should be possible.

[hst-m]

I tried app instanceof uws.SSLApp but that doesn't work, I see the class name is set here https://github.com/uNetworking/uWebSockets.js/blob/master/src/AppWrapper.h#L514 but I think no point using either when you can easily track your own variable