Skip to content

v10.20.0 proposal #31984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BethGriggs merged 56 commits into from
Apr 8, 2020
Merged

v10.20.0 proposal #31984

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
56 commits
Select commit Hold shift + click to select a range
db24641
deps: upgrade npm to 6.13.6
ruyadorno Jan 10, 2020
7eac959
deps: upgrade npm to 6.13.7
Jan 28, 2020
2315270
test: try to stabalize test-child-process-fork-exec-path.js
refack Apr 17, 2019
a8fd8a1
test: mark http2 tests as flaky on 10.x
Feb 20, 2020
4b9a779
test: mark tests as flaky
joaocgreis Dec 8, 2019
f1a8791
test: allow EAI_FAIL in test-http-dns-error.js
cjihrig Apr 30, 2019
1cfb457
tls: support TLS min/max protocol defaults in CLI
sam-github May 28, 2019
64744a2
buffer: add {read|write}Big[U]Int64{BE|LE} methods
GaryGSC Nov 11, 2019
3f9cec3
test: add debugging output to test-net-listen-after-destroy-stdin
Trott Feb 8, 2020
20177b9
n-api: turn NAPI_CALL_INTO_MODULE into a function
addaleax Feb 15, 2019
f29fb14
n-api: add APIs for per-instance state management
Jul 15, 2019
dc61e09
v8: fix load elimination liveness checks
bnoordhuis Feb 1, 2020
9b2b66b
deps: V8: cherry-pick d89f4ef1cd62
Feb 12, 2020
5484e06
test: scale keepalive timeouts for slow machines
bnoordhuis Dec 7, 2019
42af3b8
build,win: fix goto exit in vcbuild
joaocgreis Dec 13, 2019
ffa9f9b
doc: fix changelog for v10.18.1
andrewhughes101 Jan 14, 2020
9bd1317
test: mark empty udp tests flaky on OS X
sam-github Feb 24, 2020
ecbb331
n-api: add napi_get_all_property_names
himself65 Oct 17, 2019
b53ce6e
deps: upgrade to libuv 1.29.1
cjihrig May 15, 2019
7cde563
deps: upgrade to libuv 1.30.0
cjihrig Jun 27, 2019
ed71f55
deps: upgrade to libuv 1.30.1
cjihrig Jul 2, 2019
794abbc
deps: upgrade to libuv 1.31.0
cjihrig Aug 9, 2019
aed7ca4
deps: upgrade to libuv 1.32.0
cjihrig Sep 9, 2019
6826ef0
deps: upgrade to libuv 1.33.1
cjihrig Oct 19, 2019
fff6162
deps: upgrade to libuv 1.34.0
cjihrig Dec 4, 2019
4b1cccc
deps: upgrade to libuv 1.34.1
cjihrig Jan 12, 2020
098704c
deps: upgrade to libuv 1.34.2
cjihrig Jan 23, 2020
61e2d48
tools: use CC instead of CXX when pointing to gcc
Dec 6, 2019
f235eea
tools: unify make-v8.sh for ppc64le and s390x
richardlau Feb 3, 2020
47046aa
deps: openssl: cherry-pick 4dcb150ea30f
AdamMajer Feb 28, 2020
b164a2e
console: add trace-events for time and count
jasnell Oct 16, 2018
05f5b3e
doc: remove em dashes
Trott Mar 4, 2020
a2b0e9e
tls: expose keylog event on TLSSocket
mildsunrise May 11, 2019
8cae4dd
deps: upgrade npm to 6.14.1
isaacs Feb 27, 2020
c2b3cf6
deps: update npm to 6.14.3
MylesBorins Mar 19, 2020
bf26c44
deps: remove *.pyc files from deps/npm
bnoordhuis Mar 20, 2020
c8f5ab2
deps: upgrade openssl sources to 1.1.1e
hassaanp Mar 17, 2020
64c1848
deps: adjust openssl configuration for 1.1.1e
hassaanp Mar 18, 2020
76033c5
deps: update archs files for OpenSSL-1.1.1e
hassaanp Mar 18, 2020
89692ff
test: end tls connection with some data
sam-github Mar 20, 2020
4390674
url: handle quasi-WHATWG URLs in urlToOptions()
cjihrig Feb 21, 2019
aa7d369
doc: update releaser list in README.md
MylesBorins Mar 31, 2020
8d85a43
deps: update term-size with signed version
rvagg Jan 30, 2020
04cd67f
deps: upgrade npm to 6.14.4
ruyadorno Mar 26, 2020
8a0ed8f
build: macOS package notarization
rvagg Jan 22, 2020
239377b
n-api: correct instance data tests
Mar 25, 2020
e9c590e
n-api: define release 6
Mar 3, 2020
34c1c2a
doc: add missing version metadata for Readable.from
addaleax Jul 15, 2019
2e3d511
doc: correct version metadata for Readable.from
kzar Apr 3, 2020
0177464
doc,tools: get altDocs versions from CHANGELOG.md
richardlau May 12, 2019
1ea70d6
test: fix flaky doctool and test
Trott Oct 15, 2019
ac1ea73
tools: make doctool work if no internet available
richardlau Nov 2, 2019
3756be8
tools: add NODE_TEST_NO_INTERNET to the doc builder
joyeecheung Feb 18, 2020
a175b8d
tools: only fetch previous versions when necessary
richardlau Mar 27, 2020
017909b
test: fix tool path in test-doctool-versions.js
richardlau Apr 3, 2020
246eede
2020-04-08, Version 10.20.0 'Dubnium' (LTS)
BethGriggs Feb 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
tls: support TLS min/max protocol defaults in CLI 
Backport CLI switches for default TLS versions:
- `--tls-max-v1.2`
- `--tls-min-v1.0`
- `--tls-min-v1.1`
- `--tls-min-v1.2`

PR-URL: #27946
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
  • Loading branch information
@sam-github @BethGriggs
sam-github authored and BethGriggs committed Feb 24, 2020
commit 1cfb45732a9b257d0c039cae76789757426f263a
32 changes: 32 additions & 0 deletions doc/api/cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,38 @@ added: v4.0.0
Specify an alternative default TLS cipher list. Requires Node.js to be built
with crypto support (default).

### `--tls-max-v1.2`
<!-- YAML
added: REPLACEME
-->

Does nothing, [`tls.DEFAULT_MAX_VERSION`][] is always 'TLSv1.2'. Exists for
compatibility with Node.js 11.x and higher.

### `--tls-min-v1.0`
<!-- YAML
added: REPLACEME
-->

Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1'. Use for compatibility with
old TLS clients or servers.

### `--tls-min-v1.1`
<!-- YAML
added: REPLACEME
-->

Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
with old TLS clients or servers.

### `--tls-min-v1.2`
<!-- YAML
added: REPLACEME
-->

Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. Use this to disable
support for earlier TLS versions, which are less secure.

### `--trace-deprecation`
<!-- YAML
added: v0.8.0
Expand Down
6 changes: 5 additions & 1 deletion doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1378,7 +1378,11 @@ added: v10.6.0
* {string} The default value of the `minVersion` option of
[`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
protocol versions, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
**Default:** `'TLSv1'`.
**Default:** `'TLSv1'`, unless changed using CLI options. Using
`--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
the default to `'TLSv1.1'`. Using `--tls-min-v1.2` sets the default to
`'TLSv1.2'`. If multiple of the options are provided, the lowest minimum is
used.

## Deprecated APIs

Expand Down
16 changes: 16 additions & 0 deletions doc/node.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,22 @@ Specify process.title on startup.
Specify an alternative default TLS cipher list.
Requires Node.js to be built with crypto support. (Default)
.
.It Fl -tls-max-v1.2
Does nothing, the default maxVersion is always 'TLSv1.2'. Exists for
compatibility with Node.js 11.x and higher.
.
.It Fl -tls-min-v1.0
Set default minVersion to 'TLSv1'. Use for compatibility with old TLS clients
or servers.
.
.It Fl -tls-min-v1.1
Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
or servers.
.
.It Fl -tls-min-v1.2
Set default minVersion to 'TLSv1.2'. Use to disable support for earlier TLS
versions, which are less secure.
.
.It Fl -trace-deprecation
Print stack traces for deprecations.
.
Expand Down
17 changes: 14 additions & 3 deletions lib/tls.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ internalUtil.assertCrypto();
const { isUint8Array } = require('internal/util/types');

const net = require('net');
const { getOptionValue } = require('internal/options');
const url = require('url');
const binding = internalBinding('crypto');
const { Buffer } = require('buffer');
Expand All @@ -52,9 +53,19 @@ exports.DEFAULT_CIPHERS =

exports.DEFAULT_ECDH_CURVE = 'auto';

exports.DEFAULT_MAX_VERSION = 'TLSv1.2';

exports.DEFAULT_MIN_VERSION = 'TLSv1';
if (getOptionValue('--tls-min-v1.0'))
exports.DEFAULT_MIN_VERSION = 'TLSv1';
else if (getOptionValue('--tls-min-v1.1'))
exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
else if (getOptionValue('--tls-min-v1.2'))
exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
else
exports.DEFAULT_MIN_VERSION = 'TLSv1';

if (getOptionValue('--tls-max-v1.2'))
exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
else
exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; // Will depend on node version.

exports.getCiphers = internalUtil.cachedResult(
() => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true)
Expand Down
17 changes: 17 additions & 0 deletions src/node_options.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,23 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

Insert(&DebugOptionsParser::instance,
&EnvironmentOptions::get_debug_options);

AddOption("--tls-min-v1.0",
"set default TLS minimum to TLSv1.0 (default: TLSv1.0)",
&EnvironmentOptions::tls_min_v1_0,
kAllowedInEnvironment);
AddOption("--tls-min-v1.1",
"set default TLS minimum to TLSv1.1 (default: TLSv1.0)",
&EnvironmentOptions::tls_min_v1_1,
kAllowedInEnvironment);
AddOption("--tls-min-v1.2",
"set default TLS minimum to TLSv1.2 (default: TLSv1.0)",
&EnvironmentOptions::tls_min_v1_2,
kAllowedInEnvironment);
AddOption("--tls-max-v1.2",
"set default TLS maximum to TLSv1.2 (default: TLSv1.2)",
&EnvironmentOptions::tls_max_v1_2,
kAllowedInEnvironment);
}

EnvironmentOptionsParser EnvironmentOptionsParser::instance;
Expand Down
4 changes: 4 additions & 0 deletions src/node_options.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ class EnvironmentOptions : public Options {
bool force_repl = false;

bool insecure_http_parser = false;
bool tls_min_v1_0 = false;
bool tls_min_v1_1 = false;
bool tls_min_v1_2 = false;
bool tls_max_v1_2 = false;

std::vector<std::string> preload_modules;

Expand Down
2 changes: 1 addition & 1 deletion test/parallel/test-process-env-allowed-flags.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ require('../common');
// assert all "canonical" flags begin with dash(es)
{
process.allowedNodeEnvironmentFlags.forEach((flag) => {
assert(/^--?[a-z28_-]+$/.test(flag), `Unexpected format for flag ${flag}`);
assert(/^--?[a-z.0-9_-]+$/.test(flag), `Unexpected format for flag ${flag}`);
});
}

Expand Down
15 changes: 15 additions & 0 deletions test/parallel/test-tls-cli-max-version-1.2.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Flags: --tls-max-v1.2
'use strict';
const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');

// Check that node `--tls-max-v1.2` is supported.

const assert = require('assert');
const tls = require('tls');

assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');

// Check the min-max version protocol versions against these CLI settings.
require('./test-tls-min-max-version.js');
15 changes: 15 additions & 0 deletions test/parallel/test-tls-cli-min-version-1.0.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Flags: --tls-min-v1.0 --tls-min-v1.1
'use strict';
const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');

// Check that `node --tls-v1.0` is supported, and overrides --tls-v1.1.

const assert = require('assert');
const tls = require('tls');

assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');

// Check the min-max version protocol versions against these CLI settings.
require('./test-tls-min-max-version.js');
15 changes: 15 additions & 0 deletions test/parallel/test-tls-cli-min-version-1.1.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Flags: --tls-min-v1.1
'use strict';
const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');

// Check that node `--tls-v1.1` is supported.

const assert = require('assert');
const tls = require('tls');

assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.1');

// Check the min-max version protocol versions against these CLI settings.
require('./test-tls-min-max-version.js');
15 changes: 15 additions & 0 deletions test/parallel/test-tls-cli-min-version-1.2.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Flags: --tls-min-v1.2
'use strict';
const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');

// Check that node `--tls-min-v1.2` is supported.

const assert = require('assert');
const tls = require('tls');

assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');

// Check the min-max version protocol versions against these CLI settings.
require('./test-tls-min-max-version.js');
30 changes: 25 additions & 5 deletions test/parallel/test-tls-min-max-version.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,12 @@ const {
const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;

// For v11.x, the default is fixed and cannot be changed via CLI.
assert.strictEqual(DEFAULT_MIN_VERSION, 'TLSv1');

function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
assert(proto || cerr || serr, 'test missing any expectations');
// Report where test was called from. Strip leading garbage from
// at Object.<anonymous> (file:line)
// from the stack location, we only want the file:line part.
const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
connect({
client: {
checkServerIdentity: (servername, cert) => { },
Expand All @@ -34,9 +35,28 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
function u(_) { return _ === undefined ? 'U' : _; }
console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot),
'expect', u(proto), u(cerr), u(serr));
console.log(' ', where);
if (!proto) {
console.log('client', pair.client.err ? pair.client.err.code : undefined);
console.log('server', pair.server.err ? pair.server.err.code : undefined);
function setCode(err) {
if (!err) return;
if (err.code) return;
// Convert error message to a .code, because .code wasn't always present
// in older versions.
if (/unsupported protocol/.test(err.message))
err.code = 'ERR_SSL_UNSUPPORTED_PROTOCOL';
else if (/wrong version number/.test(err.message))
err.code = 'ERR_SSL_WRONG_VERSION_NUMBER';
else if (/version too low/.test(err.message))
err.code = 'ERR_SSL_UNSUPPORTED_PROTOCOL';
else
err.code = err.message;
}
setCode(pair.server.err);
setCode(pair.client.err);
console.log('client', pair.client.err ? pair.client.err.code :
pair.client.err);
console.log('server', pair.server.err ? pair.server.err.code :
pair.server.err);
// 11.x doesn't have https://github.com/nodejs/node/pull/24729
if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
pair.client.err &&
Expand Down