Add/Enable cipher from SSLv3 (DHE-RSA-AES256-SHA) to TLS 1.2 in Node JS TLS

1
votes

I have a medical device (client) that I have no control over. When an event happens on that device (client) it connects to my server via tls v1.2 to pass data. The error that I have is "no shared cipher".

[Error: 3160:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:openssl\ssl\statem\statem_srvr.c:1419: ]

After long investigation it looks like the client cipher suite is not supported in node js 10.9.0. I tried to overwrite default ciphers (DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA. see code below) and the change is taken in consideration because I tried to connect with openssl s_client and fails as it does not support the ciphers. If I set the ciphers to ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA openssl s_client connects. If I do openssl ciphers -sslv3 in the list I see the DHE-RSA-AES128-SHA and DHE-RSA-AES256-SHA. But the client does not connect.

The connection handshake Wireshark tls negociation

My Server code: 

const tls = require('tls');
const fs = require('fs');

tls.DEFAULT_CIPHERS = 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA';

const options = {
    key: fs.readFileSync(__dirname + '\\cert\\private-key.pem'),
    cert: fs.readFileSync(__dirname + '\\cert\\cert.pem'),
    rejectUnauthorized: false
};

const server = tls.createServer(options, (socket) => {
    console.log('server connected',
        socket.authorized ? 'authorized' : 'unauthorized');

    socket.write('welcome!\n');
    socket.setEncoding('utf8');
    socket.pipe(socket);
});

server.on('tlsClientError', (error, tlsSocket) => {
    console.log(error);
});

server.listen(8081, () => {
    console.log('server bound', 8011);
});

Openssl s_client

ciphers ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA openssl supported cipher

ciphers DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA openssl unsupported cipher

How can I add or workaround this old ciphers ?

Edit new response: Handshake pass

** New options **

const options = {
key: fs.readFileSync(__dirname + '/cert/sentinel-private-key.pem'),
cert: fs.readFileSync(__dirname + '/cert/sentinel-cert.pem'),
dhparam: fs.readFileSync(__dirname + '/cert/dhparams.pem'),
ca:  [fs.readFileSync(__dirname + '/cert/ca-cert.ca')],
rejectUnauthorized: false
1
node.jssslopensslrsatls1.2

1 Answers

2
votes

The client requires that your server supports perfect forward secrecy using DHE based ciphersuites. In order for that to happen you need to configure your server with appropriate DH parameters.

First you must generate your parameters, e.g.:

 openssl dhparam -out dhparams.pem 2048

Next you need to configure your application to use them. Instructions for doing this in Nodes.js are available here:

https://nodejs.org/docs/latest-v10.x/api/tls.html#tls_perfect_forward_secrecy