From ff8f6e3b4c2152f179a79008b917d5625f1c1ef1 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Mon, 22 Oct 2018 11:40:28 +0200 Subject: [PATCH 1/2] tls: disable TLS v1.0 and v1.1 by default Refs: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ --- doc/api/tls.md | 3 ++- src/node_crypto.cc | 5 ++++- test/parallel/test-https-agent-additional-options.js | 3 ++- test/parallel/test-https-agent-session-eviction.js | 3 ++- test/parallel/test-tls-getprotocol.js | 1 + test/parallel/test-tls-session-cache.js | 3 ++- 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 8700839c400b38..a7a79dbc7d2797 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1119,7 +1119,8 @@ changes: [OpenSSL Options][]. * `secureProtocol` {string} SSL method to use. The possible values are listed as [SSL_METHODS][], use the function names as strings. For example, - `'TLSv1_2_method'` to force TLS version 1.2. **Default:** `'TLS_method'`. + `'TLSv1_2_method'` to force TLS version 1.2. + **Default:** `'TLSv1_2_method'`. * `sessionIdContext` {string} Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients. diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 6b803f685b9f32..1ca0351683d63e 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -396,7 +396,7 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); - int min_version = 0; + int min_version = TLS1_2_VERSION; int max_version = 0; const SSL_METHOD* method = TLS_method(); @@ -425,6 +425,9 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { method = TLS_server_method(); } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) { method = TLS_client_method(); + } else if (strcmp(*sslmethod, "TLS_method") == 0) { + min_version = 0; + max_version = 0; } else if (strcmp(*sslmethod, "TLSv1_method") == 0) { min_version = TLS1_VERSION; max_version = TLS1_VERSION; diff --git a/test/parallel/test-https-agent-additional-options.js b/test/parallel/test-https-agent-additional-options.js index eaa6ea710e4d9f..0c713d9aa10e27 100644 --- a/test/parallel/test-https-agent-additional-options.js +++ b/test/parallel/test-https-agent-additional-options.js @@ -11,7 +11,8 @@ const fixtures = require('../common/fixtures'); const options = { key: fixtures.readKey('agent1-key.pem'), cert: fixtures.readKey('agent1-cert.pem'), - ca: fixtures.readKey('ca1-cert.pem') + ca: fixtures.readKey('ca1-cert.pem'), + secureProtocol: 'TLS_method', }; const server = https.Server(options, function(req, res) { diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js index cf6a1341c1e03f..04fee257ed8161 100644 --- a/test/parallel/test-https-agent-session-eviction.js +++ b/test/parallel/test-https-agent-session-eviction.js @@ -54,7 +54,8 @@ function faultyServer(port) { function second(server, session) { const req = https.request({ port: server.address().port, - rejectUnauthorized: false + rejectUnauthorized: false, + secureProtocol: 'TLS_method', }, function(res) { res.resume(); }); diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js index bf75eb8a398647..20018241e33572 100644 --- a/test/parallel/test-tls-getprotocol.js +++ b/test/parallel/test-tls-getprotocol.js @@ -17,6 +17,7 @@ const clientConfigs = [ ]; const serverConfig = { + secureProtocol: 'TLS_method', key: fixtures.readSync('/keys/agent2-key.pem'), cert: fixtures.readSync('/keys/agent2-cert.pem') }; diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js index 55dd92e81d259c..2a74be0521df21 100644 --- a/test/parallel/test-tls-session-cache.js +++ b/test/parallel/test-tls-session-cache.js @@ -48,7 +48,8 @@ function doTest(testOptions, callback) { cert, ca: [cert], requestCert: true, - rejectUnauthorized: false + rejectUnauthorized: false, + secureProtocol: 'TLS_method', }; let requestCount = 0; let resumeCount = 0; From 8f469918880f8cfcc898330a42fca3ba2a7302c7 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Fri, 26 Oct 2018 22:09:56 +0200 Subject: [PATCH 2/2] squash! add --tls-v1.0 and --tls-v1.1 flags --- doc/api/cli.md | 16 ++++++++++++++++ doc/node.1 | 8 ++++++++ src/node_crypto.cc | 3 +++ src/node_options.cc | 11 +++++++++++ src/node_options.h | 5 +++++ .../test-https-agent-additional-options.js | 6 +++--- .../test-https-agent-session-eviction.js | 4 ++-- test/parallel/test-process-env-allowed-flags.js | 3 ++- 8 files changed, 50 insertions(+), 6 deletions(-) diff --git a/doc/api/cli.md b/doc/api/cli.md index b6e42a5bc8100d..332b6de93f6873 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -323,6 +323,22 @@ added: v4.0.0 Specify an alternative default TLS cipher list. Requires Node.js to be built with crypto support (default). +### `--tls-v1.0` + + +Enable TLSv1.0. This should only be used for compatibility with old TLS +clients or servers. + +### `--tls-v1.1` + + +Enable TLSv1.1. This should only be used for compatibility with old TLS +clients or servers. + ### `--trace-deprecation`