update secureOptions parameter for https server

[inkz]

Hello,

I’m a security researcher at r2c. We work with industry experts to write code checks for bugs in open source.

Problem:
I found that the https server don't disallow TLS v1 as it intended to do

anyproxy/lib/httpsServerMgr.js

Line 71 in b93f948

secureOptions: constants.SSL_OP_NO_SSLv3 || constants.SSL_OP_NO_TLSv1,

anyproxy/lib/httpsServerMgr.js

Line 85 in b93f948

secureOptions: constants.SSL_OP_NO_SSLv3 || constants.SSL_OP_NO_TLSv1,

TLS v1 is deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.

Fix:
This is happens because TLS stack (OpenSSL) requires that the options are combined with bitwise OR while logical OR is used

// this is how it should be
secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1

// this is how it is used now
secureOptions: constants.SSL_OP_NO_SSLv3 || constants.SSL_OP_NO_TLSv1

in this case only constants.SSL_OP_NO_SSLv3 is passed to secureOptions allowing connections with TLS v1

https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs

We have a tool called Semgrep you can use for your project that continuously detects problems like this one. Semgrep is also available as a GitHub Action to make it easy to set up. The check that identified this bug is available in Semgrep by using https://semgrep.dev/p/colleend.insecure-transport-nodejs

Thanks, and I hope this helps! Let me know if you have any questions.

[CLAassistant]

All committers have signed the CLA.