Configure https agent to allow only TLS1.2 for outgoing requests
I'm making HTTPS connections from a node app, using a client certificate:
var options = {
hostname: 'https://my-server.com',
port: 443,
path: '/',
method: 'GET',
key: fs.readFileSync('client1-key.pem'),
cert: fs.readFileSync('client1-crt.pem'),
ca: fs.readFileSync('ca-crt.pem') };
var req = https.request(options, res => {
[...]
});
Everything is working fine, however I want to add code to ensure only TLS 1.2 connections are allowed. I cannot find any way to configure this in the https.agent options, or elsewhere. Is it possible to configure this, or do I have to make a connection and then query the protocol version, with something like:
res.socket.getProtocol() === 'TLSv1.2'
and abort the connection if the protocol is not satisfactory?
Answer
First I found the docs on making HTTPS requests. It mentions that you can pass additional options to tls.connect() which includes something called secureProtocol. Digging into tls.connect(), I found the secureContext option which mentions tls.createSecureContext(). And there it finally mentions secureProtocol which can be specified with a string from an OpenSSL page. I picked a string that looked reasonable (TLSv1_2_method) and passed the secureProtocol option directly into https.request.
This prints SSL Version: TLS 1.2 with the given secureProtocol and SSL Version: TLS 1.1 with secureProtocol: "TLSv1_1_method". The error handler at the end will get called if a connection cannot be established with the given TLS version.
var https = require('https')
var options = {
hostname: 'www.howsmyssl.com',
port: 443,
path: '/a/check',
method: 'GET',
secureProtocol: "TLSv1_2_method"
}
https.request(options, res => {
let body = ''
res.on('data', d => body += d)
res.on('end', () => {
data = JSON.parse(body)
console.log('SSL Version: ' + data.tls_version)
})
}).on('error', err => {
// This gets called if a connection cannot be established.
console.warn(err)
}).end()