tls: add min/max protocol version options #24405
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sam-github
added
the
semver-minor
nodejs-github-bot
added
the
lib / src
refack
reviewed
Nov 16, 2018
|
Missing test for |
sam-github
force-pushed
the
tls-min-max-version
branch
from
77ae2fe
to
9b267ff
Compare
mscdex
reviewed
Nov 17, 2018
sam-github
added
semver-major
bnoordhuis
reviewed
Nov 19, 2018
There was a problem hiding this comment.
Just to make sure we're all on the same page: SecureContext is exported. We agree this is semver-minor, not semver-major? Tacking on parameters breaks code that passes in too many.
Sam, can you add a few more tests that verify that passing in the new options actually affects a TLS connection? Bonus points if it also tests the interaction with the --tls-v1.x flags.
rvagg
suggested changes
Nov 19, 2018
sam-github
force-pushed
the
tls-min-max-version
branch
2 times, most recently
from
017939b
to
2cae9ab
Compare
sam-github
added
semver-minor
sam-github
force-pushed
the
tls-min-max-version
branch
from
2cae9ab
to
61e08ae
Compare
|
@shigeki I removed your name from the commit so you don't get |
sam-github
force-pushed
the
tls-min-max-version
branch
from
61e08ae
to
e07e955
Compare
|
@rvagg @bnoordhuis PTAL |
sam-github
force-pushed
the
tls-min-max-version
branch
3 times, most recently
from
5646a55
to
1d3255d
Compare
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain.
BridgeAR
pushed a commit
that referenced
this pull request
Dec 7, 2018
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. Backport-PR-URL: #24676 PR-URL: #24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
BridgeAR
pushed a commit
that referenced
this pull request
Dec 7, 2018
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. Backport-PR-URL: #24676 PR-URL: #24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
BridgeAR
added a commit
that referenced
this pull request
Dec 7, 2018
Notable Changes:
* console,util:
* `console` functions now handle symbols as defined in the spec.
#23708
* The inspection `depth` default is now back at 2.
#24326
* dgram,net:
* Added ipv6Only option for `net` and `dgram`.
#23798
* http:
* Chosing between the http parser is now possible per runtime flag.
#24739
* readline:
* The `readline` module now supports async iterators.
#23916
* repl:
* The multiline history feature is removed.
#24804
* tls:
* Added min/max protocol version options.
#24405
* The X.509 public key info now includes the RSA bit size and the
elliptic curve. #24358
* url:
* `pathToFileURL()` now supports LF, CR and TAB.
#23720
* Windows:
* Tools are not installed using Boxstarter anymore.
#24677
* The install-tools scripts or now included in the dist.
#24233
* Added new collaborator:
* [antsmartian](https://github.com/antsmartian) - Anto Aravinth.
#24655
PR-URL: #24854
BridgeAR
added a commit
that referenced
this pull request
Dec 7, 2018
Notable Changes:
* console,util:
* `console` functions now handle symbols as defined in the spec.
#23708
* The inspection `depth` default is now back at 2.
#24326
* dgram,net:
* Added ipv6Only option for `net` and `dgram`.
#23798
* http:
* Chosing between the http parser is now possible per runtime flag.
#24739
* readline:
* The `readline` module now supports async iterators.
#23916
* repl:
* The multiline history feature is removed.
#24804
* tls:
* Added min/max protocol version options.
#24405
* The X.509 public key info now includes the RSA bit size and the
elliptic curve. #24358
* url:
* `pathToFileURL()` now supports LF, CR and TAB.
#23720
* Windows:
* Tools are not installed using Boxstarter anymore.
#24677
* The install-tools scripts or now included in the dist.
#24233
* Added new collaborator:
* [antsmartian](https://github.com/antsmartian) - Anto Aravinth.
#24655
PR-URL: #24854
This was referenced Dec 7, 2018
4 tasks
refack
pushed a commit
to refack/node
that referenced
this pull request
Jan 14, 2019
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. PR-URL: nodejs#24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
refack
pushed a commit
to refack/node
that referenced
this pull request
Jan 14, 2019
Notable Changes:
* console,util:
* `console` functions now handle symbols as defined in the spec.
nodejs#23708
* The inspection `depth` default is now back at 2.
nodejs#24326
* dgram,net:
* Added ipv6Only option for `net` and `dgram`.
nodejs#23798
* http:
* Chosing between the http parser is now possible per runtime flag.
nodejs#24739
* readline:
* The `readline` module now supports async iterators.
nodejs#23916
* repl:
* The multiline history feature is removed.
nodejs#24804
* tls:
* Added min/max protocol version options.
nodejs#24405
* The X.509 public key info now includes the RSA bit size and the
elliptic curve. nodejs#24358
* url:
* `pathToFileURL()` now supports LF, CR and TAB.
nodejs#23720
* Windows:
* Tools are not installed using Boxstarter anymore.
nodejs#24677
* The install-tools scripts or now included in the dist.
nodejs#24233
* Added new collaborator:
* [antsmartian](https://github.com/antsmartian) - Anto Aravinth.
nodejs#24655
PR-URL: nodejs#24854
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 22, 2019
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. Backport-PR-URL: nodejs#24676 PR-URL: nodejs#24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
4 tasks
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 28, 2019
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. Backport-PR-URL: nodejs#24676 PR-URL: nodejs#24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
BethGriggs
pushed a commit
that referenced
this pull request
Mar 28, 2019
The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. Backport-PR-URL: #26270 PR-URL: #24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
Merged
This was referenced May 29, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
This is a rework of
tls: add min/max_version and their defaultsfrom https://github.com/shigeki/node/commits/WIP_upgrade_openssl111_tls12_only onto master. The original conflicted with more recent commits to master, but while doing the docs for #24386 I realized it also broke #23814. I'm PRing this directly now because it doesn't have a dependency on OpenSSL 1.1.1. Getting it into master should make @shigeki 's work easier, and his openssl 1.1.1 branch shorter. Also, landing it will stop it from getting more conflicts.Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes