From 3bd7798eda09983e83775357cec41ec87ba11606 Mon Sep 17 00:00:00 2001 From: Julien Fontanet Date: Fri, 15 Sep 2017 11:43:02 +0200 Subject: [PATCH] fix(HTTPS): correctly use secure options Extra TLS options where not used due to incorrect code, it is now fixed. --- config.json | 26 +++++++++++++++----------- src/index.js | 13 +++++++------ 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/config.json b/config.json index d5f97d658..7eaef46a8 100644 --- a/config.json +++ b/config.json @@ -8,20 +8,24 @@ "port": 80 } ], - "mounts": {}, - // Ciphers to use. - // - // These are the default ciphers in Node 4.2.6, we are setting - // them explicitly for older Node versions. - "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA", + // These options are applied to all listen entries. + "listenOptions": { + // Ciphers to use. + // + // These are the default ciphers in Node 4.2.6, we are setting + // them explicitly for older Node versions. + "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA", - // Tell Node to respect the cipher order. - "honorCipherOrder": true, + // Tell Node to respect the cipher order. + "honorCipherOrder": true, - // Specify to use at least TLSv1.1. - // See: https://github.com/certsimple/minimum-tls-version - "secureOptions": 117440512 + // Specify to use at least TLSv1.1. + // See: https://github.com/certsimple/minimum-tls-version + "secureOptions": 117440512 + }, + + "mounts": {} }, "datadir": "/var/lib/xo-server/data", diff --git a/src/index.js b/src/index.js index cff8ea0e5..c00bd71e7 100644 --- a/src/index.js +++ b/src/index.js @@ -293,7 +293,7 @@ async function registerPlugins (xo) { // =================================================================== -async function makeWebServerListen ({ +async function makeWebServerListen (webServer, { certificate, // The properties was called `certificate` before. @@ -308,9 +308,8 @@ async function makeWebServerListen ({ readFile(key) ]) } - try { - const niceAddress = await this.listen(opts) + const niceAddress = await webServer.listen(opts) debug(`Web server listening on ${niceAddress}`) } catch (error) { if (error.niceAddress) { @@ -329,10 +328,12 @@ async function makeWebServerListen ({ } } -async function createWebServer (opts) { +async function createWebServer ({ listen, listenOptions }) { const webServer = new WebServer() - await Promise.all(mapToArray(opts, webServer::makeWebServerListen)) + await Promise.all(mapToArray(listen, + opts => makeWebServerListen(webServer, { ...listenOptions, ...opts }) + )) return webServer } @@ -539,7 +540,7 @@ export default async function main (args) { const config = await loadConfiguration() - const webServer = await createWebServer(config.http.listen) + const webServer = await createWebServer(config.http) // Now the web server is listening, drop privileges. try {