Skip to content

Improvements to tls API documentation, batch 1 #9800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sam-github wants to merge 19 commits into from
Closed

Improvements to tls API documentation, batch 1 #9800

Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
8ea758c
tls: fix/annotate connect arg comments
sam-github Nov 18, 2016
516a9d9
tls: document and test option-less createServer
sam-github Nov 21, 2016
cd1fdfb
test: tls key/cert ordering not necessary
sam-github Nov 22, 2016
28a3045
tls: do not refer to secureOptions as flags
sam-github Nov 22, 2016
53cfdb0
doc: document all TLSSocket options
sam-github Nov 23, 2016
43b8c9e
doc: describe all tls.connect() variants
sam-github Nov 23, 2016
c94b954
doc: socket passed to tls.connect is user managed
sam-github Nov 24, 2016
b9a6642
doc: describe tls passphrase use with pfx and key
sam-github Nov 24, 2016
8c25224
doc: describe tls cert and ca options
sam-github Nov 24, 2016
90e01ff
doc: describe buffer forms of tls crl option
sam-github Nov 24, 2016
706efcd
doc: describe tls cipher option and defaults
sam-github Nov 24, 2016
be11388
doc: fix link to Crypto Constants
sam-github Nov 25, 2016
17405b6
doc: honorCipherOrder sets CIPHER_SERVER_PREFERENCE
sam-github Nov 25, 2016
5c078e5
doc: describe tls ecdhCurve/dhparam options
sam-github Nov 25, 2016
e8e59e4
doc: describe tls secureProtocol option
sam-github Nov 25, 2016
797b334
doc: describe tls secureOptions
sam-github Nov 25, 2016
5a85e08
doc: describe tls sessionIdContext
sam-github Nov 25, 2016
bb89227
doc: de-deduplicate secure context docs
sam-github Nov 25, 2016
a52555e
test: var to const in tls-no-cert-required
sam-github Dec 9, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
doc: describe tls cipher option and defaults
  • Loading branch information
@sam-github
sam-github committed Dec 9, 2016
commit 706efcd3279299e6c0e40a0be856555206b7eae0
18 changes: 12 additions & 6 deletions doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,11 +179,18 @@ line switch. For instance, the following makes
node --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256:!RC4"
```

The default can also be replaced on a per client or server basis using the
`ciphers` option from [`tls.createSecureContext()`][], which is also available
in [`tls.createServer()`], [`tls.connect()`], and when creating new
[`tls.TLSSocket`]s.

Consult [OpenSSL cipher list format documentation][] for details on the format.

*Note*: The default cipher suite included within Node.js has been carefully
selected to reflect current security best practices and risk mitigation.
Changing the default cipher suite can have a significant impact on the security
of an application. The `--tls-cipher-list` switch should by used only if
absolutely necessary.
of an application. The `--tls-cipher-list` switch and `ciphers` option should by
used only if absolutely necessary.

## Class: tls.Server
<!-- YAML
Expand Down Expand Up @@ -911,10 +918,8 @@ added: v0.11.13
self-signed certificate must be provided to verify the peer.
* `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted
CRLs (Certificate Revocation Lists).
* `ciphers` {string} A string describing the ciphers to use or exclude.
Consult
<https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT>
for details on the format.
* `ciphers` {string} Optional cipher suite specification, replacing the
default. For more information, see [modifying the default cipher suite][].
* `honorCipherOrder` {boolean} If `true`, when a cipher is being selected,
the server's preferences will be used instead of the client preferences.

Expand Down Expand Up @@ -1234,6 +1239,7 @@ where `secure_socket` has the same API as `pair.cleartext`.

[OpenSSL cipher list format documentation]: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT
[Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
[modifying the default cipher suite]: #tls_modifying_the_default_tls_cipher_suite
[specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
[`crypto.getCurves()`]: crypto.html#crypto_crypto_getcurves
[`tls.createServer()`]: #tls_tls_createserver_options_secureconnectionlistener
Expand Down