disable TLS 1.0

[skilbjo]

$ curl -i --tlsv1.0 --tls-max 1.0 localhost:8001
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
content-type: text/plain

mockttp server accepts remote connections using a depreciated implementation of TLS 1.0, which has a number of cryptographic design flaws.

[pimterry]

Yes, but this is generally used as a testing/debugging proxy, usually on localhost or within a local network, so compatibility & broader protocol support are generally higher priority than incoming connection security (note that Mockttp does not accept TLS1.0 when making upstream outbound connections, by default).

Is there a particular reason and/or use case where this is important to you? It'd be great if you could share more context. I'd be open to adding an option to control this now, and potentially changing the default with a major release in future, if there's a clear case where this is important.

[skilbjo]

It might be a little embarrassing to admit publicly 🐵 , but I use mockttp to host the xhr.dev proxy server. It's the only server I found that allowed both proxy connections to work over http + https, redirect http to https, respected / knew what to do with the HTTP CONNECT method, and unwrapped the TLS tunnel to MitM the requests (needed for the xhr.dev service to work). It also is a dream for unit testing -- very easy to spin up a server, run a request through, confirm the expected output. I mean it's a dream library to work with.

For my use case, just the ability to block TLS 1.0 and 1.1 connections is enough. No particular need from me to change the defaults, but I would like to configure it to be secure (with regards/respect to everything else I'm doing with the xhr.dev project)

[pimterry]

Fair enough, that makes sense! Cool to see Mockttp being used in this way, sounds like an interesting project.

Would you like to open a PR to add this? I think the best solution would be to add a tlsServerOptions option to MockttpHttpsOptions, allowing you to pass Node TLS options (for now, just listing the ones we specifically want to support). Then to implement this, we just need to pass those options through to the TLS server setup call.

The full list of Node's support TLS options is here: https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions.

For this case, I think you'd probably just want minVersion to be included and passed through. With that done, you could set up Mockttp like:

server = getLocal({
  https: {
    tlsServerOptions: { minVersion: 'TLSv1.2' }
  }
});

For now I think we'd only support that one option, but this interface would allow us to add more options later if required. Does that make sense? PR welcome if you're interested in this.

[skilbjo]

hi @pimterry , please see my pr #189