Skip to content

[v11.x backport] Update openssl to 1.1.1a #25688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sam-github wants to merge 13 commits into from
Closed

[v11.x backport] Update openssl to 1.1.1a #25688

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2d0fc10
deps: upgrade openssl sources to 1.1.1a
sam-github Jan 24, 2019
e78e4c0
deps: fix gyp/gypi for openssl-1.1.1
shigeki May 5, 2018
bc7caaf
deps: fix MacOS and Win build for OpenSSL-1.1.1
shigeki Nov 1, 2018
6c0417e
deps: add s390 asm rules for OpenSSL-1.1.1
shigeki Mar 7, 2018
706deb5
deps: add only avx2 configs for OpenSSL-1.1.1
shigeki Nov 8, 2018
580dc0f
deps: fix for non GNU assembler in AIX
shigeki Nov 15, 2018
1a00628
doc: fix assembler requirement for OpenSSL-1.1.1
shigeki Nov 10, 2018
9cd76e6
deps: update archs files for OpenSSL-1.1.1a
sam-github Jan 24, 2019
45e0616
tls: make ossl 1.1.1 cipher list throw error
sam-github Nov 26, 2018
839f177
tls: workaround handshakedone in renegotiation
shigeki Sep 12, 2018
8ecdc03
test: assert on client and server side seperately
sam-github Jan 7, 2019
6fe20ec
fixup! test: assert on client and server side seperately
sam-github Jan 24, 2019
dffd719
fixup! fixup! test: assert on client and server side seperately
sam-github Jan 25, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
tls: make ossl 1.1.1 cipher list throw error 
Make OpenSSL 1.1.1 error during cipher list setting if it would have
errored with OpenSSL 1.1.0.

Can be dropped after our OpenSSL fixes this upstream.

See: openssl/openssl#7759

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
  • Loading branch information
@sam-github
sam-github committed Jan 24, 2019
commit 45e061675a6389973fda7c31926f03b3441e4d5c
20 changes: 19 additions & 1 deletion src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -919,8 +919,26 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {

THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");

// Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl
// 1.1.1, set_cipher_list() is for TLSv1.2 and earlier.
//
// In openssl 1.1.0, set_cipher_list() would error if it resulted in no
// TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support.
//
// In openssl 1.1.1, set_cipher_list() will not error if it results in no
// TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there
// are by default. There will be an error later, during the handshake, but
// that results in an async error event, rather than a sync error thrown,
// which is a semver-major change for the tls API.
//
// Since we don't currently support TLSv1.3, work around this by removing the
// TLSv1.3 cipher suites, so we get backwards compatible synchronous errors.
const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
if (!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
if (
#ifdef TLS1_3_VERSION
!SSL_CTX_set_ciphersuites(sc->ctx_.get(), "") ||
#endif
!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
if (!err) {
return env->ThrowError("Failed to set ciphers");
Expand Down