Skip to content

tls: disable TLS v1.0 and v1.1 by default #23814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
bnoordhuis wants to merge 2 commits into from
Closed

tls: disable TLS v1.0 and v1.1 by default #23814

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ff8f6e3
tls: disable TLS v1.0 and v1.1 by default
bnoordhuis Oct 22, 2018
8f46991
squash! add --tls-v1.0 and --tls-v1.1 flags
bnoordhuis Oct 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
squash! add --tls-v1.0 and --tls-v1.1 flags
  • Loading branch information
@bnoordhuis
bnoordhuis committed Oct 26, 2018
commit 8f469918880f8cfcc898330a42fca3ba2a7302c7
16 changes: 16 additions & 0 deletions doc/api/cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,22 @@ added: v4.0.0
Specify an alternative default TLS cipher list. Requires Node.js to be built
with crypto support (default).

### `--tls-v1.0`
<!-- YAML
added: REPLACEME
-->

Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.

### `--tls-v1.1`
<!-- YAML
added: REPLACEME
-->

Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.

### `--trace-deprecation`
<!-- YAML
added: v0.8.0
Expand Down
8 changes: 8 additions & 0 deletions doc/node.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,14 @@ Specify process.title on startup.
Specify an alternative default TLS cipher list.
Requires Node.js to be built with crypto support. (Default)
.
.It Fl -tls-v1.0
Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.
.
.It Fl -tls-v1.1
Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.
.
.It Fl -trace-deprecation
Print stack traces for deprecations.
.
Expand Down
3 changes: 3 additions & 0 deletions src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -400,6 +400,9 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
int max_version = 0;
const SSL_METHOD* method = TLS_method();

if (env->options()->tls_v1_1) min_version = TLS1_1_VERSION;
if (env->options()->tls_v1_0) min_version = TLS1_VERSION;

if (args.Length() == 1 && args[0]->IsString()) {
const node::Utf8Value sslmethod(env->isolate(), args[0]);

Expand Down
11 changes: 11 additions & 0 deletions src/node_options.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

AddOption("--napi-modules", "", NoOp{}, kAllowedInEnvironment);

#if HAVE_OPENSSL
AddOption("--tls-v1.0",
"enable TLSv1.0",
&EnvironmentOptions::tls_v1_0,
kAllowedInEnvironment);
AddOption("--tls-v1.1",
"enable TLSv1.1",
&EnvironmentOptions::tls_v1_1,
kAllowedInEnvironment);
#endif

Insert(&DebugOptionsParser::instance,
&EnvironmentOptions::get_debug_options);
}
Expand Down
5 changes: 5 additions & 0 deletions src/node_options.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,11 @@ class EnvironmentOptions : public Options {
bool print_eval = false;
bool force_repl = false;

#if HAVE_OPENSSL
bool tls_v1_0 = false;
bool tls_v1_1 = false;
#endif

std::vector<std::string> preload_modules;

std::vector<std::string> user_argv;
Expand Down
6 changes: 3 additions & 3 deletions test/parallel/test-https-agent-additional-options.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Flags: --tls-v1.1
'use strict';
const common = require('../common');
if (!common.hasCrypto)
Expand All @@ -11,8 +12,7 @@ const fixtures = require('../common/fixtures');
const options = {
key: fixtures.readKey('agent1-key.pem'),
cert: fixtures.readKey('agent1-cert.pem'),
ca: fixtures.readKey('ca1-cert.pem'),
secureProtocol: 'TLS_method',
ca: fixtures.readKey('ca1-cert.pem')
};

const server = https.Server(options, function(req, res) {
Expand All @@ -35,7 +35,7 @@ const updatedValues = new Map([
['ecdhCurve', 'secp384r1'],
['honorCipherOrder', true],
['secureOptions', crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE],
['secureProtocol', 'TLSv1_method'],
['secureProtocol', 'TLSv1_1_method'],
['sessionIdContext', 'sessionIdContext'],
]);

Expand Down
4 changes: 2 additions & 2 deletions test/parallel/test-https-agent-session-eviction.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Flags: --tls-v1.0
'use strict';

const common = require('../common');
Expand Down Expand Up @@ -54,8 +55,7 @@ function faultyServer(port) {
function second(server, session) {
const req = https.request({
port: server.address().port,
rejectUnauthorized: false,
secureProtocol: 'TLS_method',
rejectUnauthorized: false
}, function(res) {
res.resume();
});
Expand Down
3 changes: 2 additions & 1 deletion test/parallel/test-process-env-allowed-flags.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ require('../common');
// assert all "canonical" flags begin with dash(es)
{
process.allowedNodeEnvironmentFlags.forEach((flag) => {
assert(/^--?[a-z8_-]+$/.test(flag), `Unexpected format for flag ${flag}`);
assert(/^--?[a-z0-9._-]+$/.test(flag),
`Unexpected format for flag ${flag}`);
});
}

Expand Down