Sto usando nodejs e Ubuntu.
Quando eseguo la scansione del mio dominio su trustwave.com ho ricevuto l'errore seguente
Blocca algoritmi di cifratura con blocco di 64 bit (come DES e 3DES) di un compleanno noto come Sweet32
This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.
e Questo problema può essere evitato disabilitando i codici a blocchi di lunghezza 64 bit (come DES / 3DES) in tutti i server SSL / TLS. La procedura esatta dipende dall'attuazione effettiva. Fare riferimento alla documentazione del software del server SSL / TLS e del software di servizio effettivo (server http, server di posta, ecc.)
NOTE
1: This finding is based on a live test that actually detects which ciphers are supported by the server. It is very important to note that in many cases, a software update (backported version provided by Operating System vendor or "vanilla" release taken directly from SSL/TLS vendor) won't be enough to resolve this issue. Usually software update doesn't overwrite manually tweaked configuration files, which means, DES/3DES can be still available, even if the software update disables them by default.
Sono nuovo su nodejs e sever thing,
Ho usato il seguente codice
var constants = require('constants')
, https = require('https')
, path = require('path')
, tls = require('tls')
, fs = require('fs');
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_TLSv1,
// secureOptions: require('constants').SSL_OP_NO_TLSv1,
cert: fs.readFileSync('/etc/ssl/certs/STAR_w.crt'),
ca: [
fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot_1.crt'),
fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot_2.crt'),
fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot_3.crt')
],
ciphers:[
"ECDHE-RSA-AES256-SHA384",
"DHE-RSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA256",
"DHE-RSA-AES256-SHA256",
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"ECDHE-RSA-DES-CBC3-SHA",
"DES-CBC3-SHA",
"ECDHE-RSA-DES-CBC3-SHA",
"DES-CBC3-SHA",
"HIGH",
"!aNULL",
"!eNULL",
"!EXPORT",
"!DES",
"!RC4",
"!MD5",
"!PSK",
"!SRP",
"!CAMELLIA"
].join(':'),
//ca: fs.readFileSync('/etc/ssl/certs/AddTrustExternalCARoot.crt'),
requestCert: false,
rejectUnauthorized: false
};
Qualche idea su come disabilitare il chiper?
Grazie