From 2660a321e15196b8bc69320db9fc7e3bbe2d05ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Sun, 12 Mar 2023 19:35:55 +0100 Subject: [PATCH] tls: support automatic DHE Node.js has so far only supported user-defined DHE parameters and even recommended generating custom parameters. This change lets users set the dhparam option to 'auto' instead, in which case DHE parameters of sufficient strength are selected automatically (from a small set of well-known parameters). This has been recommended by OpenSSL for quite a while, and it makes it much easier for Node.js TLS servers to properly support DHE-based perfect forward secrecy. This also updates the documentation to prioritize ECDHE over DHE, mostly because the former tends to be more efficient and is enabled by default. PR-URL: https://github.com/nodejs/node/pull/46978 Reviewed-By: Luigi Pinca Reviewed-By: Ben Noordhuis --- doc/api/tls.md | 42 ++++++++-------- lib/internal/tls/secure-context.js | 2 +- src/crypto/crypto_context.cc | 9 ++++ .../test-tls-client-getephemeralkeyinfo.js | 17 ++++++- test/parallel/test-tls-dhe.js | 50 +++++++++++++++---- 5 files changed, 87 insertions(+), 33 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 7cbcee6ad3a0b6..1ae615bd027281 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -123,23 +123,17 @@ all sessions). Methods implementing this technique are called "ephemeral". Currently two methods are commonly used to achieve perfect forward secrecy (note the character "E" appended to the traditional abbreviations): -* [DHE][]: An ephemeral version of the Diffie-Hellman key-agreement protocol. * [ECDHE][]: An ephemeral version of the Elliptic Curve Diffie-Hellman key-agreement protocol. +* [DHE][]: An ephemeral version of the Diffie-Hellman key-agreement protocol. -To use perfect forward secrecy using `DHE` with the `node:tls` module, it is -required to generate Diffie-Hellman parameters and specify them with the -`dhparam` option to [`tls.createSecureContext()`][]. The following illustrates -the use of the OpenSSL command-line interface to generate such parameters: - -```bash -openssl dhparam -outform PEM -out dhparam.pem 2048 -``` +Perfect forward secrecy using ECDHE is enabled by default. The `ecdhCurve` +option can be used when creating a TLS server to customize the list of supported +ECDH curves to use. See [`tls.createServer()`][] for more info. -If using perfect forward secrecy using `ECDHE`, Diffie-Hellman parameters are -not required and a default ECDHE curve will be used. The `ecdhCurve` property -can be used when creating a TLS Server to specify the list of names of supported -curves to use, see [`tls.createServer()`][] for more info. +DHE is disabled by default but can be enabled alongside ECDHE by setting the +`dhparam` option to `'auto'`. Custom DHE parameters are also supported but +discouraged in favor of automatically selected, well-known parameters. Perfect forward secrecy was optional up to TLSv1.2. As of TLSv1.3, (EC)DHE is always used (with the exception of PSK-only connections). @@ -1798,6 +1792,10 @@ argument.