tls: re-define max supported version as 1.2 #25024

sam-github · 2018-12-13T19:19:20Z

Several secureProtocol strings allow any supported TLS version as the
maximum, but our maximum supported protocol version is TLSv1.2 even if
someone configures a build against an OpenSSL that supports TLSv1.3.

Fixes: #24658

Was part of the openssl 1.1.1 upgrade work, but given that distros are assuming that openssl 1.1.1 is API and ABI compatible with 1.1.0, and can be dropped in, and that node does in fact build when that happens, I think we should apply this change to master, and likely backport through to 10.x

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
tests and/or benchmarks are included
documentation is changed or added
commit message follows commit guidelines

nodejs-github-bot · 2018-12-13T19:19:23Z

@sam-github build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1936/pipeline

src/node_crypto.cc

danbev · 2018-12-14T04:30:03Z

CI: https://ci.nodejs.org/job/node-test-pull-request/19500/

Trott · 2018-12-14T07:06:03Z

Resume Build CI: https://ci.nodejs.org/job/node-test-pull-request/19508/

Trott · 2018-12-14T14:24:23Z

Resume Build CI: https://ci.nodejs.org/job/node-test-pull-request/19520/ ✔️

sam-github · 2018-12-14T19:11:10Z

@nodejs/lts Note that this cherry-picks clean to 11.x and 10.x, and should eventually land there. It is semver-patch.

Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658

Trott · 2018-12-17T05:27:32Z

CI: https://ci.nodejs.org/job/node-test-pull-request/19595/ ✔️

sam-github · 2018-12-17T17:00:53Z

Landed in 19b59bf

Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: #24658 PR-URL: #25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658 PR-URL: nodejs#25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: #24658 PR-URL: #25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch Original commit message: Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: nodejs#26270 PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> commit 161dca7 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658 PR-URL: nodejs#25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Partial port, remain compatible with 1.0.2: commit 970ce14 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: nodejs#4270 PR-URL: nodejs#19794 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. labels Dec 13, 2018

sam-github mentioned this pull request Dec 13, 2018

Cannot read property 'getALPNNegotiatedProtocol' of null #24658

Closed

richardlau approved these changes Dec 13, 2018

View reviewed changes

src/node_crypto.cc Show resolved Hide resolved

bnoordhuis approved these changes Dec 13, 2018

View reviewed changes

danbev approved these changes Dec 14, 2018

View reviewed changes

cjihrig approved these changes Dec 14, 2018

View reviewed changes

Trott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Dec 14, 2018

tls: re-define max supported version as 1.2

058a96d

Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658

Trott force-pushed the set-max-tls-to-v1.2 branch from baa6d5a to 058a96d Compare December 17, 2018 05:26

sam-github closed this Dec 17, 2018

sam-github deleted the set-max-tls-to-v1.2 branch December 17, 2018 17:00

MylesBorins mentioned this pull request Dec 25, 2018

v11.6.0 proposal #25175

Merged

sam-github added lts-watch-v8.x labels Jan 22, 2019

BethGriggs added the land-on-v10.x label Feb 12, 2019

BethGriggs mentioned this pull request Feb 12, 2019

v10.15.3 proposal #26063

Merged

BethGriggs removed the lts-watch-v10.x label Jul 9, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tls: re-define max supported version as 1.2 #25024

tls: re-define max supported version as 1.2 #25024

sam-github commented Dec 13, 2018

nodejs-github-bot commented Dec 13, 2018

danbev commented Dec 14, 2018

Trott commented Dec 14, 2018

Trott commented Dec 14, 2018 •

edited

Loading

sam-github commented Dec 14, 2018

Trott commented Dec 17, 2018 •

edited

Loading

sam-github commented Dec 17, 2018

tls: re-define max supported version as 1.2 #25024

tls: re-define max supported version as 1.2 #25024

Conversation

sam-github commented Dec 13, 2018

Checklist

nodejs-github-bot commented Dec 13, 2018

danbev commented Dec 14, 2018

Trott commented Dec 14, 2018

Trott commented Dec 14, 2018 • edited Loading

sam-github commented Dec 14, 2018

Trott commented Dec 17, 2018 • edited Loading

sam-github commented Dec 17, 2018

Trott commented Dec 14, 2018 •

edited

Loading

Trott commented Dec 17, 2018 •

edited

Loading