By not specifying a protocol, the following block will result in an HTTPS server that uses TLS 1.2:
var options = {
key: fs.readFileSync("security/server.key"),
cert: fs.readFileSync("security/server.crt")
};
https.createServer(options, app).listen(443);
However, one of my endpoints needs to act as a subscriber endpoint for the Fitbit API, which requires TLS 1.0. To do this, I need to set secureProtocol to TLSv1_method.
var options = {
key: fs.readFileSync("security/server.key"),
cert: fs.readFileSync("security/server.crt"),
secureProtocol: "TLSv1_method" // Fitbit subscription API requires TLS 1.0
};
https.createServer(options, app).listen(443);
What would be the best way to use TLS 1.0 for one endpoint and TLS 1.2 for all others? The answer may lie in the http-proxy module, but I'm having a hard time applying the documentation to my use case. Note that I am using different subdomains to differentiate the traffic.
If secureProtocol is not defined in the options, then by default node will create a https server that accepts connections on TLS 1.0, TLS 1.1 and TLS 1.2.
Example Server:
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('default-key.pem'),
cert: fs.readFileSync('default-cert.pem')
};
https.createServer(options, (req, res) => {
res.writeHead(200);
res.end('hello world\n');
}).listen(8000);
You can test this at the command line with curl:
Test for SSLv3 (will fail, it's disabled by default):
curl --sslv3 https://localhost:8000 -k
Test for TLSv1 (will work):
curl --tlsv1.0 https://localhost:8000 -k
Test for TLSv1.1 (will work):
curl --tlsv1.1 https://localhost:8000 -k
Test for TLSv1.2 (will work):
curl --tlsv1.2 https://localhost:8000 -k
Tested on node.js version 5.3.0 and 5.5.0 (latest stable).