tls / ssl disable TLS_*_anon_* ciphers when ciphers is set to 'HIGH'

[baslr]

ssllabs.com reports insecure Cipher Suites

my ciphers option in https.createServer is HIGH

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE     112

[misterdjules]

The ciphers option for https.createServer is directly passed to OpenSSL. HIGH doesn't mean that it's "a high level of security" but that, according to OpenSSL's documentation, it includes "those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys".

So if you'd like ssllabs.com to report that your server cannot use insecure ciphers, you will want to specify something else than HIGH in your ciphers suites.

By default, node v0.10 uses the following cipher suites:

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

and node v0.12 uses the following:

ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL

There's more background regarding the change of ciphers suites between v0.10 and v0.12 in #8272.

If these default ciphers suites are not secure, please let us know.

To know how to specify ciphers suites that are considered secure, you might also want to check other resources more specific to SSL/TLS and/or OpenSSL such as Qualys' blog or Mozilla's Wiki.

[baslr]

Hi,
thanks for your help. I added !aNULL to exclude anon ciphers.