SSLv3 connectivity in Node LTS

Question

SSLv3 connectivity in Node LTS

gschwa opened this issue 9 years ago · 7 comments

gschwa commented 9 years ago

Believe it or not there are still "secure" sites running SSLv3 and I need to connect to it. When I set the:

secureProtocol: 'SSLv3_method'

I get back: Error: SSLv3 methods disabled

I am using Node 4.2.2. Is there anything I can do to enable SSLv3?

Answer 1 · 2015-11-06T19:05:31.000Z

No, we build without SSLv3 support as it is effectively broken entirely and you might as well be using regular http.

See:

Discussion: nodejs/node-convergence-archive#20
A bit more: #2514
Original removal in io.js: #315

Answer 2 · 2015-11-06T19:59:21.000Z

Your only option is to use an old version of node, but still you really should not be using anything less than TLSv1 at this point if you care about security. You might contact the server owner and ask them to at least permit TLSv1+ connections.

Answer 3 · 2015-11-09T01:54:28.000Z

Closing as there isn't really anything actionable that we can do on this one

Answer 4 · 2017-07-12T16:31:22.000Z

What's the standard practice to let node throw an exception/warning message when using SSLv3/2? I had to spend quite some time debugging this issue since I just picked node back up and wasn't aware of this functionality. The only way I could get more information was from openssl cli, but it would have've been much nicer if there are existing warning or documentations.

In my case, the same key/cert worked for a Java application so the debugging process has been particularly painful.

If I missed anything apparent, please feel free to let me know. Thanks!

Answer 5 · 2017-07-12T16:55:48.000Z

@richardzyx Hi! This issue tracker is for bugs and issues found within Node.js core.
For more general support questions like that, please file an issue on our help
repo. https://github.com/nodejs/help

Thanks!

Answer 6 · 2019-12-20T06:22:04.000Z

Hi!

What version of nodejs and which modules supported TLSv1/SSLv3?
I develop a script that should get data from the sites running TLSv1/SSLv3.

Answer 7 · 2019-12-21T03:22:52.000Z

@YuriyTigiev Not sure what you mean by "which modules" but SSLv3 has been disabled-by-default since Node.js 4.0.0. (It was disabled during the io.js fork.)

I'm going to lock this issue. For more questions or clarifications, consider opening a new issue in this repo or in https://github.com/nodejs/help. You can also ask on StackOverflow, in IRC, etc.