Are there any cipher settings in the ssl options?

[snz2]

Are there any cipher settings in the ssl options?

Decrypt does not support ECDHE-RSA-AES256-GCM-SHA384 while connecting to tls from an older mono client. I wonder if the server can be set up.
Thank you for always.

[ghost]

OpenSSL is massive, could you look up what you want in their documentation?

[ghost]

What is decrypt?

[ghost]

What is mono?

[ghost]

I think generally SSL is all about deprecating old protocols and keeping things secure that way. If you have an old client chances are it's not going to be secure. So making it compatible with deprecated versions would be bad

[ghost]

This library pretty much runs with default settings, OpenSSL 1.1+ so if something is not working yeah I think that is by design

[snz2]

I am sorry to have asked you a question without detailed explanation.
After I asked this question,
I noticed that my old version of Unity 3d does not support tls 1.2 or higher.
I have tested uWebsocket server at https://sslanalyzer.comodoca.com/ and found that it does not support tls 1.0 either.

mono is the basic framework of Unity
The term decrypt was the letter of the log that came from communicating with the server as Unity.
However, I was worried about cipher, but it was a problem of tls version.

So now I'm looking for an option to build with support for tls 1.0 in the source of uWebsocket (c ++, c).

Excuse me, but is there any option to support tls 1.0?
Thank you.

[snz2]

I do not want to interfere with the basic design of this great uWebsocket. I was just trying to figure out how to upgrade the version of Unity that I use, which is a problem for my current service. Thanks for the answer.

[ghost]

SSL_CTX_set_options(context->ssl_context, SSL_OP_NO_TLSv1);

Apparently we disable tls1 because someone considered it good

[slavaGanzin]

Current versions of every client support modern TLS versions. So it's no need to support previous protocol versions, although tls downgrade is a real threat and outweigh compatibility issues.

@snz2 You can try to make a local ssl proxy using something like https://www.npmjs.com/package/local-ssl-proxy or nginx. IT will downgrade protocol for one side (unity) and upgrade for another (uWS). Temporary, but fast fix

OpenSSL is massive, could you look up what you want in their documentation?

Off topic, but can passphrase be implemented? It's kinda best practice...

[dvergeylen]

Apparently we disable tls1 because someone considered it good

Yes, as of June 30, 2018, all websites need to be on TLS 1.1 or higher in order to comply with the PCI Data Security Standard (DSS).

TLS 1.0 is 1990, TLS 1.1 is 2006, TLS 1.2 is 2008 and TLS 1.3 is 2018 (IETF announcement).

[snz2]

@alexhultman
SSL_CTX_set_options (context-> ssl_context, SSL_OP_NO_TLSv1);

I commented out the code in ssl.c and it builds and listens. But when I try to connect to the client
Segmentation fault of nodejs occurs and stops.
If you do not comment it, it will work.
Let me see more.

edited

I checked more.
SSL_CTX_set_options (context-> ssl_context, SSL_OP_NO_TLSv1);
Unrelated to the above option

git clone --recursive https://github.com/uNetworking/uWebSockets.js.git && cd with make
This problem only occurs when uWebsocket.js is downloaded as a clone and is built by hand.

Let's check if there is a difference with npm i.
Thank you.

edited 2

It was my build environment and cache problem.
All works fine with tls 1.0. But I think more and try to get better options for my project instead of tls 1.0.
Thank you for your help.

---

@slavaGanzin

/*
You can try to make a local ssl proxy using something like https://www.npmjs.com/package/local-ssl-proxy or nginx. IT will downgrade protocol for one side (unity) and upgrade for another (uWS). Temporary, but fast fix
*/

Thank you for giving me a good option. Let me also consider this.