From 10ef12ffae336acb5e0213a2bebdddafb42a8127 Mon Sep 17 00:00:00 2001
From: Murtaza Aliakbar <murtaza@live.in>
Date: Wed, 16 Oct 2024 23:28:12 +0530
Subject: [PATCH] node: prefer aes128 ciphers

---
 src/server-node.js | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/server-node.js b/src/server-node.js
index 0ac24674e6..580a3971a5 100644
--- a/src/server-node.js
+++ b/src/server-node.js
@@ -267,8 +267,28 @@ function systemUp() {
     keepAlive: true,
     noDelay: true,
   };
+  // default cipher suites
+  // nodejs.org/api/tls.html#modifying-the-default-tls-cipher-suite
+  let defaultTlsCiphers = "";
+  if (!util.emptyString(tls.DEFAULT_CIPHERS)) {
+    // nodejs.org/api/tls.html#tlsdefault_ciphers
+    defaultTlsCiphers = tls.DEFAULT_CIPHERS;
+  } else {
+    // nodejs.org/api/tls.html#tlsgetciphers
+    defaultTlsCiphers = tls
+      .getCiphers()
+      .map((c) => c.toUpperCase())
+      .join(":");
+  }
+  // aes128 is a 'cipher string' for tls1.2 and below
+  // docs.openssl.org/1.1.1/man1/ciphers/#cipher-strings
+  const preferAes128 =
+    "AES128:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_GCM_SHA256";
   // nodejs.org/api/tls.html#tlscreateserveroptions-secureconnectionlistener
+  /** @type {tls.SecureContextOptions} */
   const tlsOpts = {
+    ciphers: preferAes128 + ":" + defaultTlsCiphers,
+    honorCipherOrder: true,
     handshakeTimeout: Math.max((ioTimeoutMs / 2) | 0, 3 * 1000), // 3s in ms
     // blog.cloudflare.com/tls-session-resumption-full-speed-and-secure
     sessionTimeout: 60 * 60 * 24 * 7, // 7d in secs