How to disable tls 1.0 and use only tls 1.1 using nodejs

Question

I want to disable the TLS v1.0 and use TLS 1.1 and above only.

By nodejs, I use the https module, how to set the https options?

I have read the api doc node api tls, but I still don't know how to set this.

I think it depends on the secureProtocol and cipher, but I just don't know how to set the value.

My node version is 0.10.36, and openssl version is 0.9.8j.

Answer 1

Marco's solution worked for me, but as TLS 1.1 is also considered a vulnerability, it is better to disable both and go with TLS 1.2

const { constants } = require('crypto')
https.createServer({
    secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
    pfx: fs.readFileSync(path.resolve(pathToCert))
}, app).listen(443)

Answer 2

This will be helpful if any one is using MEANjs

use

secureProtocol: 'TLSv1_2_server_method',

instead of

secureProtocol: 'TLSv1_method',

file location config/lib/socket.io.js

Works without issue.

Answer 3

The use of the constants module is undocumented. A better way to disable TLS v1.0 would be to use constants from the crypto module instead. See the documentation on the Node.js website for reference.

The solution then becomes the following:

const { constants } = require('crypto')
https.createServer({
    secureOptions: constants.SSL_OP_NO_TLSv1,
    pfx: fs.readFileSync(path.resolve(pathToCert))
}, app).listen(443)

Answer 4

TLS 1.0 should no longer be used. This works to disable TLS 1.0 in node.js:

https.createServer({
    secureOptions: require('constants').SSL_OP_NO_TLSv1,
    pfx: fs.readFileSync(path.resolve(pathToCert))
}, app).listen(443);

You can verify this using this tool: ssllabs