Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cmd-api-server): Refuse to run on NodeJS 10 by default #150

Closed
petermetz opened this issue May 24, 2020 · 1 comment · Fixed by #210
Closed

feat(cmd-api-server): Refuse to run on NodeJS 10 by default #150

petermetz opened this issue May 24, 2020 · 1 comment · Fixed by #210
Assignees
Labels
dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation enhancement New feature or request Security Related to existing or potential security vulnerabilities
Milestone

Comments

@petermetz
Copy link
Contributor

Description

As an ops/sec person I want to have safe defaults wherever possible so that (hopefully) my life doesn't get ruined by a data breach caused by unsecured software I deployed after failing to read the manual/fine print/etc.

NodeJS 10 sort of supports TLSv1.3 but not really. Meaning that there's a flag that can be set to accept TLSv1.3, but when it comes down to the implementation it's just not there and in fact throws exceptions if you try to use it:
https://github.com/nodejs/node/blob/v10.20.1/lib/_tls_common.js#L44

So my proposal here is to discontinue NodeJS v10 support and start having the minimum as NodeJS 12.
This also gives us some extra goodies like certain elliptic curve crypto features that came in with v12.

Another justification is that the current LTS Is already 12 and stable v14 is already out so we should keep up with the world.

Acceptance Criteria

  1. Cactus doesn't start on Node 10 by default, but possible to configure it so that it does work and uses TLS 1.2. This way people can opt in to less secure versions, but they won't get exposed unknowingly.
  2. package.json file is updated to match these constraints

cc: @jonathan-m-hamilton @sfuji822 @takeutak @hartm

@petermetz petermetz added bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request dependencies Pull requests that update a dependency file labels May 24, 2020
@petermetz petermetz self-assigned this May 24, 2020
@petermetz petermetz added Security Related to existing or potential security vulnerabilities and removed bug Something isn't working labels May 25, 2020
@petermetz petermetz added this to the v0.2.0 milestone Jun 9, 2020
@jonathan-m-hamilton
Copy link
Contributor

Discussed in maintainers call on moving to version 12

@petermetz petermetz changed the title Phase Out Support for Node 10x feat(cmd-api-server): Refuse to run on NodeJS 10 by default Jun 26, 2020
petermetz added a commit to petermetz/cacti that referenced this issue Jun 26, 2020
…de optional override

1. Node 10 is no longer the LTS version
2. Node 10 does not properly support TLS v1.3

fix hyperledger-cacti#150

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jun 26, 2020
…de optional override

1. Node 10 is no longer the LTS version
2. Node 10 does not properly support TLS v1.3
3. The CI script will no longer run against Node 10 just 12 and 14.

fix hyperledger-cacti#150

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jun 30, 2020
…de optional override

1. Node 10 is no longer the LTS version
2. Node 10 does not properly support TLS v1.3
3. The CI script will no longer run against Node 10 just 12 and 14.

fix hyperledger-cacti#150

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sfuji822 pushed a commit that referenced this issue Jun 30, 2020
…de optional override

1. Node 10 is no longer the LTS version
2. Node 10 does not properly support TLS v1.3
3. The CI script will no longer run against Node 10 just 12 and 14.

fix #150

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation enhancement New feature or request Security Related to existing or potential security vulnerabilities
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants