fix(HTTPS): correctly use secure options

Extra TLS options where not used due to incorrect code, it is now fixed.
2017-09-15 11:43:02 +02:00 · 2017-09-15 11:43:02 +02:00 · 3bd7798eda
commit 3bd7798eda
parent a6c2622f6b
2 changed files with 22 additions and 17 deletions
--- a/config.json
+++ b/config.json
@ -8,20 +8,24 @@
        "port": 80
      }
    ],
-    "mounts": {},

-    // Ciphers to use.
-    //
-    // These are the default ciphers in Node 4.2.6, we are setting
-    // them explicitly for older Node versions.
-    "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA",
+    // These options are applied to all listen entries.
+    "listenOptions": {
+      // Ciphers to use.
+      //
+      // These are the default ciphers in Node 4.2.6, we are setting
+      // them explicitly for older Node versions.
+      "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA",

-    // Tell Node to respect the cipher order.
-    "honorCipherOrder": true,
+      // Tell Node to respect the cipher order.
+      "honorCipherOrder": true,

-    // Specify to use at least TLSv1.1.
-    // See: https://github.com/certsimple/minimum-tls-version
-    "secureOptions": 117440512
+      // Specify to use at least TLSv1.1.
+      // See: https://github.com/certsimple/minimum-tls-version
+      "secureOptions": 117440512
+    },
+
+    "mounts": {}
  },
  "datadir": "/var/lib/xo-server/data",

--- a/src/index.js
+++ b/src/index.js
@ -293,7 +293,7 @@ async function registerPlugins (xo) {

 // ===================================================================

-async function makeWebServerListen ({
+async function makeWebServerListen (webServer, {
  certificate,

  // The properties was called `certificate` before.
@ -308,9 +308,8 @@ async function makeWebServerListen ({
      readFile(key)
    ])
  }
-
  try {
-    const niceAddress = await this.listen(opts)
+    const niceAddress = await webServer.listen(opts)
    debug(`Web server listening on ${niceAddress}`)
  } catch (error) {
    if (error.niceAddress) {
@ -329,10 +328,12 @@ async function makeWebServerListen ({
  }
 }

-async function createWebServer (opts) {
+async function createWebServer ({ listen, listenOptions }) {
  const webServer = new WebServer()

-  await Promise.all(mapToArray(opts, webServer::makeWebServerListen))
+  await Promise.all(mapToArray(listen,
+    opts => makeWebServerListen(webServer, { ...listenOptions, ...opts })
+  ))

  return webServer
 }
@ -539,7 +540,7 @@ export default async function main (args) {

  const config = await loadConfiguration()

-  const webServer = await createWebServer(config.http.listen)
+  const webServer = await createWebServer(config.http)

  // Now the web server is listening, drop privileges.
  try {