How do you control ciphers in a node.js proxy on Apigee Edge Cloud?

tschaib2
Participant I

I am running into problems with a specific node.js proxy which is being rejected by the backend server, presumably because of issues with the negotiated SSL/TLS connection. While the connection is allowed by the server, a downstream configuration simply returns an AccessDenied.

I would like to have better control of the SSL/TLS options of a node.js proxy within Edge when making outgoing requests.

As I understand it, the Edge node.js instances are using the underlying JSSE v1.7

I would like to do two things.

  1. Inspect which ciphers are available on the platform.
  2. Control which ciphers are available in negotiating TLS/SSL on an outgoing connection.

Inspect which ciphers are available on the platform

On most node servers, I would run tls.getCiphers(). In Edge this creates the following exception:

TypeError: Cannot find function getSSLCiphers in object [object _cryptoClass].

    at tls.js:46
    at /organization/environment/api/main.js:46
    at /organization/environment/api/node_modules/request/request.js:187
    at emit (events.js:98)
    at /organization/environment/api/node_modules/request/request.js:1044
    at emit (events.js:95)
    at /organization/environment/api/node_modules/request/request.js:965
    at emit (events.js:117)
    at _stream_readable.js:943
    at _tickDomainCallback (trireme.js:491)
    at _tickFromSpinner (trireme.js:422)\n

Control which ciphers are available in negotiating TLS/SSL on an outgoing connection

The following code is something I would expect to work. This does have the effect of switching out the ciphers, as it will create the following fault: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"

JSSE specifications for ciphers generally differ from their openssl counterparts.

  • JSSE = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • openssl = ECDHE-RSA-AES128-SHA256

It's unclear which format to specify here, especially without an ability to query the available ciphers through node.

            var options = {
                url: url,
                agentOptions: {
                    secureProtocol: 'TLSv1.2'
                    ,ciphers: 'ECDHE-RSA-AES128-CBC-SHA128'
                }
            };
            request.get(options,function(err, data) {
                res.send(data);
            });
1 0 1,049