It is not recommended to use TLS protocol versions less than 1.2. Using outdated TLS protocol versions lead to the use of outdated, vulnerable cipher suites. TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages. TLS 1.1 or below does not provide the option to select more robust hashing algorithms, which the newer protocols do.
This issue is detected when the secureProtocol
or minVersion
and maxVersion
options are set to a version less that 1.2 and
used with tls
, https
or request
modules.
const options = {
secureProtocol: 'TLSv1_method', // insecure version
minVersion: 'TLSv1.1', // insecure version
maxVersion: 'TLSv1.2'
}
const connection = tls.connect(443, 'www.abc.com', options, () => { })
const req = https.request(options, res => { })
const socket = request.get(options)
const options = {
secureProtocol: 'TLSv1_2_method',
minVersion: 'TLSv1.2',
maxVersion: 'TLSv1.3'
}
const connection = tls.connect(443, 'www.abc.com', options, () => { })
const req = https.request(options, res => { })
const socket = request.get(options)