Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing secureProtocol values, and some docs on protocol selection #24386

Closed
wants to merge 2 commits into from
Closed

Add missing secureProtocol values, and some docs on protocol selection #24386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5dcfe24
tls: support TLS_client_method, TLS_server_method
sam-github Nov 15, 2018
1032db1
doc: describe secureProtocol and CLI interaction
sam-github Nov 15, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions doc/api/cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -347,16 +347,16 @@ with crypto support (default).
added: REPLACEME
-->

Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.0 and greater in default [secureProtocol][]. Use for compatibility
with old TLS clients or servers.

### `--tls-v1.1`
<!-- YAML
added: REPLACEME
-->

Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.1 and greater in default [secureProtocol][]. Use for compatibility
with old TLS clients or servers.

### `--trace-deprecation`
<!-- YAML
Expand Down Expand Up @@ -787,3 +787,4 @@ greater than `4` (its current default value). For more information, see the
[experimental ECMAScript Module]: esm.html#esm_loader_hooks
[libuv threadpool documentation]: http://docs.libuv.org/en/latest/threadpool.html
[remote code execution]: https://www.owasp.org/index.php/Code_Injection
[secureProtocol]: tls.html#tls_tls_createsecurecontext_options
13 changes: 9 additions & 4 deletions doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1118,10 +1118,15 @@ changes:
which is not usually necessary. This should be used carefully if at all!
Value is a numeric bitmask of the `SSL_OP_*` options from
[OpenSSL Options][].
* `secureProtocol` {string} SSL method to use. The possible values are listed
as [SSL_METHODS][], use the function names as strings. For example,
`'TLSv1_2_method'` to force TLS version 1.2.
**Default:** `'TLSv1_2_method'`.
* `secureProtocol` {string} The TLS protocol version to use. The possible
values are listed as [SSL_METHODS][], use the function names as strings. For
example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'`
to allow any TLS protocol version. It is not recommended to use TLS versions
less than 1.2, but it may be required for interoperability. **Default:**
vsemozhetbyt marked this conversation as resolved.
Show resolved Hide resolved
`'TLSv1_2_method'`, unless changed using CLI options. Using the `--tlsv1.0`
CLI option is like `'TLS_method'` except protocols earlier than TLSv1.0 are
not allowed, and using the `--tlsv1.1` CLI option is like `'TLS_method'`
except that protocols earlier than TLSv1.1 are not allowed.
* `sessionIdContext` {string} Opaque identifier used by servers to ensure
session state is not shared between applications. Unused by clients.

Expand Down
8 changes: 4 additions & 4 deletions doc/node.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,12 +184,12 @@ Specify an alternative default TLS cipher list.
Requires Node.js to be built with crypto support. (Default)
.
.It Fl -tls-v1.0
Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.0 and greater in default secureProtocol. Use for compatibility
with old TLS clients or servers.
.
.It Fl -tls-v1.1
Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.1 and greater in default secureProtocol. Use for compatibility
with old TLS clients or servers.
.
.It Fl -trace-deprecation
Print stack traces for deprecations.
Expand Down
8 changes: 8 additions & 0 deletions src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
} else if (strcmp(*sslmethod, "TLS_method") == 0) {
min_version = 0;
max_version = 0;
} else if (strcmp(*sslmethod, "TLS_server_method") == 0) {
min_version = 0;
max_version = 0;
method = TLS_server_method();
} else if (strcmp(*sslmethod, "TLS_client_method") == 0) {
min_version = 0;
max_version = 0;
method = TLS_client_method();
} else if (strcmp(*sslmethod, "TLSv1_method") == 0) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
Expand Down
4 changes: 2 additions & 2 deletions src/node_options.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,11 +191,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

#if HAVE_OPENSSL
AddOption("--tls-v1.0",
"enable TLSv1.0",
"enable TLSv1.0 and greater by default",
&EnvironmentOptions::tls_v1_0,
kAllowedInEnvironment);
AddOption("--tls-v1.1",
"enable TLSv1.1",
"enable TLSv1.1 and greater by default",
&EnvironmentOptions::tls_v1_1,
kAllowedInEnvironment);
#endif
Expand Down