具有特定密码的Node.js TLS请求

Question

我有一个Node.js应用程序需要检查外部资源的TLS兼容性.我需要限制Node.js在发出外部TLS请求时将使用的特定密码.我正在寻找实现此目的的示例代码.

更多信息:Apple要求在iOS 9 中加密所有出站连接,并且允许的密码列表有限.

接受的密码是:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

我的目标是构建一项服务,检查以确保外部服务器满足Apple要求.

Answer 1

您可以使用该密码列表连接到每个资源.如果连接成功,那么您知道其中一个密码正在使用,因此检出.可以通过ciphers酒店设置独家密码列表.例如:

var ciphers = ['TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
               'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
               'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
               'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
               'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
               'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
               'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
               'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
               'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
               'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
               'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'].join(':');
tls.connect({
  host: 'example.com',
  port: 443,
  ciphers: ciphers
}, function() {
  // Success!
}).on('error', function(err) {
  // Unsuccessful! You may check `err` to make sure it wasn't an unexpected
  // error like ECONNREFUSED
});

您还可以通过设置secureProtocol属性来限制使用的协议.例如,要使用TLSv1.2:

var ciphers = ['TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
               'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
               'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
               'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
               'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
               'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
               'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
               'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
               'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
               'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
               'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'].join(':');
tls.connect({
  host: 'example.com',
  port: 443,
  ciphers: ciphers,
  secureProtocol: 'TLSv1_2_method'
}, function() {
  // Success!
}).on('error', function(err) {
  // Unsuccessful! You may check `err` to make sure it wasn't an unexpected
  // error like ECONNREFUSED
});