Disable TLS 1.0 & 1.1 OR only use TLS 1.2 and greater in Node.js Express

Question

How can I block TLS 1.0 and TLS 1.1 on my Node.js Express server? I'm using a traditional server setup script:

const app = express();
export const server = app.listen(3000);

I'm slightly confused why I couldn't find any documentation on this.

Answer 1

Usually you will be running your Express server behind something else, like an Nginx proxy, an AWS Load Balancer, or some other piece of software or hardware that terminates TLS. In your example, you're not listening over HTTPS at all, you're listening for HTTP connections on port 3000. The configuration would usually be done outside of your Node app, but if you do want to do it in your Node app, it would be like this:

const express = require('express')
const https = require('https')
const fs = require('fs')
const { constants } = require('crypto')
const app = express()

const opts = {
  key: fs.readFileSync('/path/to/key.pem'),
  cert: fs.readFileSync('/path/to/chain.pem'),
  secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
}

// other app logic

// Or 443 if you run it as root, which is not recommended;
// instead you should proxy to it.
https.createServer(opts, app).listen(3443) 

Answer 2

The accepted answer has a typo as Aditya Acharya suggested, but I have no reputation to directly comment on it. The line

const { options } = require('crypto')

should be

const { constants } = require('crypto')

instead, otherwise the references to constants in

secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,

would all be invalid.

Answer 3

ex.

const https = require("https");
const https_options = {
  pfx: fs.readFileSync(path.join(__dirname, "../ssl/cert.pfx")), 
  passphrase: "password",
  minVersion: "TLSv1.2"
}

server = https.createServer(https_options, app);

minVersion is the easiest way to accomplish this as mentioned here: https://stackoverflow.com/a/62051684/4487632