Google recently announced that there is an exploit in SSLv3, this vulnerability is know as POODLE. There is no other option than to disable SSLv3 in order to combat this major flaw. There have already been guides on how to disable this in different servers. But nothing excised for Node.js yet, until now. In order to resolve this for Node.js we need to use various of undocumented options and modules.
index.js file below you can see an example of how you can protect your HTTPS server
against the POODLE attack. It uses the
secureOptions option to pass in constants in to the
SSL context which is created by node.
Start the server locally by running:
sudo node index.js
And see if SSLv3 is correctly disabled by connecting with an openssl client:
openssl s_client -connect 127.0.0.1:443 -ssl3
It should respond with a handshake failure:
CONNECTED(00000003) 47309:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:546:
If we connect normally, it will just work:
openssl s_client -connect 127.0.0.1:443
We have implemented the changes above but now when requests come into the server node crashes with the following error:
Has anyone run into this before and found a solution? We have tested and verified that our node server no longer allows SSL3 but as soon as something tries to communicate that way the above happens.