How to remove RC4 cipher from node.js https server running on Windows 2012 R2
Disabling anything in the registry only affects what uses the Windows components for RC4 (IIS/IE). IIS Crypto is not related either - as you are not using IIS.
But you are using the node.js built in https.createServer
. All settings related to RC4 will then happen within node.js (as node.js does not care about the registry).
Newer better ciphers has been added to node.js which will come automatically with the next release of node.js
If you are using node.js 0.12 then update your cipher list from the current source.
It looks like you have specified the ciphers correctly. But are you sure this is the code you are executing? If you are using node.js 0.12 or later then RC4 is disabled by default! Make sure everything is properly updated and libraries are in order.
When you create the built in server instance it would look something like this:
var server = https.createServer({
key: privateKey,
cert: certificate,
ca: certificateAuthority,
// default node 0.12 ciphers with RC4 disabled!!!
ciphers: [
"ECDHE-RSA-AES256-SHA384",
"DHE-RSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA256",
"DHE-RSA-AES256-SHA256",
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"HIGH",
"!aNULL",
"!eNULL",
"!EXPORT",
"!DES",
"!RC4",
"!MD5",
"!PSK",
"!SRP",
"!CAMELLIA"
].join(':'),
honorCipherOrder: true
}, app);
If you are using a recent node.js you should not specify ciphers but just use the defaults. It can however be practical to list them for debugging purposes.
For simple debugging then simply keep using SSL Labs. If SSL Labs still says RC4 is enabled - then try to disable one of the other cipher suites to verify that you are actually changing the actual code being used. If you see no change - then switch to Fiddler to ensure we are talking with the correct server.
The var agent = new https.Agent
so called "config" is not relevant. That snippet is creating an https.Agent (client) and specifies what ciphers you would like to connect with. You will then connect with one of these ciphers if they are offered from the server. The interesting part is https.createServer
Understand that when you browse the server and set headers using Fiddler - then you are doing the same as var agent = new https.Agent
. You request what cipher suite you would like to use. Try requesting RC4 only using Fiddler and see if that is accepted. Then you should look at what comes back from the server to verify that you are actually "talking" with the node.js instance that you think you are!
The snippet above and step by step instructions for A+ can be found at CertSimple
Troubleshooting steps:
Verify node.js version
Verify node/lib/tls.js version
Verify that you are connecting to the correct node.js instance (start/connect/stop/connect)
Set Fiddler to only accept RC4
If Fiddler connects with RC4 - then you need to modify some code. If Fiddler cannot connect with RC4 - and SSL Labs still does - then you have a proxy (or something else!) between your node.js and SSL Labs.
Update: If Fiddler is too hard to configure - then some practical tools to verify ciphers accepted by the server can be found on Superuser
I think the registry configuration only affects browsers, so you would need to set your ciphers in node.js
. This is what worked for me:
var agent = new https.Agent({
"key": key,
"cert": cert,
"ciphers": 'EECDH+AES128:EECDH+3DES:EDH+3DES:!SSLv2:!MD5:!DSS:!aNULL',
"honorCipherOrder": true
});
I figured out the answer.
The default ciphers for TLS are:
ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL
I found this by checking the tls.DEFAULT_CIPHERS property.
Notice RC4 is included.
So the default ciphers for https were fine, however tls has its own cipher default.