How to create https server with TLS 1.0?

[Anton-V-K]

I'm using Node.js 18.12.1 (Windows 10) and would like to create a https server which supports TLS 1.0 (for compatibility reasons).
However all attempts to enable support for obsolete protocols failed, and I tend to think that this version of Node.js doesn't support them at all.
Here is the minimal code to test the behavior:

const fs =          require('fs');
const https =       require('https');
const path =        require('path');

var httpsOptions = null;
try
{
    httpsOptions = {
        key: fs.readFileSync(path.join(__dirname, 'localhost.key')),
        cert: fs.readFileSync(path.join(__dirname, 'localhost.crt')),
        // ciphers: 'ECDHE-RSA-AES256-SHA:AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM',
        // honorCipherOrder: true,
        // minVersion: 'TLSv1',
        // secureProtocol: 'TLSv1_server_method', // 'TLSv1_method',
    }
}
catch (exc)
{
    console.error(exc);
}

const server = https.createServer(httpsOptions, async (req, res) => {
    console.log("req.url:", req.url); // DEBUG

    res.writeHead(200, { 'Content-Type': 'text/html' }); 
    res.write('<html><body>Hello world!</body></html>');
    res.end();
})

server.listen((9999), () => {
    console.log("Server is listening at port", server.address().port);
})

Needed files localhost.key and localhost.crt can be generated with openssl (reference):

openssl req -x509 -out localhost.crt -keyout localhost.key ^
  -newkey rsa:2048 -nodes -sha256 ^
  -subj /CN=localhost -extensions EXT -config localhost.conf

The content of localhost.conf is as follows:

[dn]
CN=localhost
[req]
distinguished_name = dn
[EXT]
subjectAltName=DNS:localhost
keyUsage=digitalSignature
extendedKeyUsage=serverAuth

I verify protocols support with nmap (download for Windows) and typical output for nmap --script ssl-enum-ciphers -p 9999 localhost is as follows (TLS 1.2 is minimum by default in Node.js):

Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-26 12:22
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
9999/tcp open  abyss
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds

What I'v tried so far:

1. Tuning httpsOptions (setting secureProtocol: 'TLSv1_server_method', and alike) - it causes ERR_SSL_VERSION_OR_CIPHER_MISMATCH (in the browser) and nmap shows no ciphers at all.
2. Tuning via command line (like node --tls-min-v1.0 server.js - see Expose a way to specify TLS version by node command line node#27666 ) - it has no effect and Node.js runs with same set of protocols.

Do I miss something?
Any hints on enabling TLS 1.0 in Node.js?

[bnoordhuis]

{ secureProtocol: 'TLSv1_server_method' } does what you want, it restricts the protocol to TLSv1.0.

causes ERR_SSL_VERSION_OR_CIPHER_MISMATCH (in the browser) and nmap shows no ciphers at all

I can't speak to nmap but browers as a rule don't support insecure ciphers, and that's most TLSv1.0 ciphers at this point. You should be able to connect with openssl s_client -tls1 -connect <host:port> though.

[Anton-V-K]

Thanks for the reply.
I can connect with openssl client, though it still detects no ciphers:

...>openssl s_client -tls1 -connect 127.0.0.1:9999
CONNECTED(0000013C)
9252:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1674742232
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

However other clients cannot connect, including the test Node.js client:

const https = require('https')

// possible values for secureProtocol: https://www.openssl.org/docs/man1.1.1/man7/ssl.html#Dealing-with-Protocol-Methods
const protocol = "TLSv1_method"
// const protocol = "TLSv1_1_method"
// const protocol = "TLSv1_2_method"

const options = {
    hostname: '127.0.0.1',
    port: 9999,
    method: 'GET',
    secureProtocol: protocol,
    rejectUnauthorized: false
}

https.request(options, res => {
  let body = ''
  res.on('data', data => body += data)
  res.on('end', () => {
    console.log('response data: ' + body)
  })
}).on('error', err => {
  console.warn(err)
}).end()

The result:

...>node client.js
Error: write EPROTO 00620000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:160
0:SSL alert number 80

    at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
  errno: -4046,
  code: 'EPROTO',
  syscall: 'write'
}

[richardlau]

I think this is an OpenSSL 3 change:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

The security strength of SHA1 and MD5 based signatures in TLS has been reduced.

This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security level 0. The security level can be changed either using the cipher string with @SECLEVEL, or calling SSL_CTX_set_security_level(3). This also means that where the signature algorithms extension is missing from a ClientHello then the handshake will fail in TLS 1.2 at security level 1. This is because, although this extension is optional, failing to provide one means that OpenSSL will fallback to a default set of signature algorithms. This default set requires the availability of SHA1.

[kumarrishav]

@richardlau

regarding this

This also means that where the signature algorithms extension is missing from a ClientHello then the handshake will fail in TLS 1.2 at security level 1.

Do I still need to pass the signature algorithms extension in clientHello if I am reducing the @SECLEVEL to 0 in the node.js server?

any pointer here? nodejs/node#49632