Skip to content

Commit

Permalink
crypto: deprecate {ecdhCurve: false}
Browse files Browse the repository at this point in the history
This doesn't work in OpenSSL 1.1.0.  Per discussion on the PR, it is
preferable to just deprecate this setting. Deprecate it and skip the
test in OpenSSL 1.1.0.

PR-URL: #16130
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
  • Loading branch information
davidben authored and rvagg committed Nov 11, 2017
1 parent aa81f99 commit 560f797
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 0 deletions.
10 changes: 10 additions & 0 deletions doc/api/deprecations.md
Original file line number Diff line number Diff line change
Expand Up @@ -737,6 +737,16 @@ Type: Runtime
internal mechanics of the `REPLServer` itself, and is therefore not
necessary in user space.
<a id="DEP0083"></a>
### DEP0083: Disabling ECDH by setting ecdhCurve to false
Type: Runtime
The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could
be set to `false` to disable ECDH entirely on the server only. This mode is
deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with
the client. Use the `ciphers` parameter instead.
[`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
[`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array
Expand Down
12 changes: 12 additions & 0 deletions lib/_tls_common.js
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,16 @@ function validateKeyCert(value, type) {
exports.SecureContext = SecureContext;


function ecdhCurveWarning() {
if (ecdhCurveWarning.emitted) return;
process.emitWarning('{ ecdhCurve: false } is deprecated.',
'DeprecationWarning',
'DEP0083');
ecdhCurveWarning.emitted = true;
}
ecdhCurveWarning.emitted = false;


exports.createSecureContext = function createSecureContext(options, context) {
if (!options) options = {};

Expand Down Expand Up @@ -140,6 +150,8 @@ exports.createSecureContext = function createSecureContext(options, context) {
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
else if (options.ecdhCurve)
c.context.setECDHCurve(options.ecdhCurve);
else
ecdhCurveWarning();

if (options.dhparam) {
const warning = c.context.setDHParam(options.dhparam);
Expand Down
8 changes: 8 additions & 0 deletions test/parallel/test-tls-ecdh-disable.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ if (!common.hasCrypto)
if (!common.opensslCli)
common.skip('missing openssl-cli');

const OPENSSL_VERSION_NUMBER =
require('crypto').constants.OPENSSL_VERSION_NUMBER;
if (OPENSSL_VERSION_NUMBER >= 0x10100000)
common.skip('false ecdhCurve not supported in OpenSSL 1.1.0');

const assert = require('assert');
const tls = require('tls');
const exec = require('child_process').exec;
Expand All @@ -42,6 +47,9 @@ const options = {
ecdhCurve: false
};

common.expectWarning('DeprecationWarning',
'{ ecdhCurve: false } is deprecated.');

const server = tls.createServer(options, common.mustNotCall());

server.listen(0, '127.0.0.1', common.mustCall(function() {
Expand Down

0 comments on commit 560f797

Please sign in to comment.