-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable EXPORT and LOW SSLv3+ ciphers by default for Argon, v0.12 and v0.10 #85
Comments
Ok so if you build by default openssl does not define OPENSSL_NO_WEAK_SSL_CIPHERS or is it that because we have a pre-configured build files we did not define OPENSSL_NO_WEAK_SSL_CIPHERS even though a default build of openssl does ? |
These weak ciphers are disabled by default in At the last openssl upgrading of openssl in Node, we missed to add the new define to |
@shigeki .. which LTS versions does this apply to? |
@jasnell For v4.x (Argon), v0.12 and v0.10. This change is included in both openssl-1.0.2 and 1.0.1. |
I'm OK with this but technically I think we'd have to do a minor bump in v4. |
@shigeki - So that its 100% clear my understanding is:
If that's the case then I'd agree we want to disable them as I think we already believed we had. |
@mhdawson Yes for both 1) and 2). I open this issue because it affects users who are using weak ciphers(LOW and EXPORT) with explicitly defining their cipher suites. Default cipher in Node does not include them. |
@jasnell I reckon we could do this as semver-patch as a "bugfix" for what should have been done in 4.3. It should get in asap. |
@shigeki the justification for enabling LOW and EXPORT is weaker than the justification for enabling SSLv2 right? There's no good reason to be using them at all at this stage is there? I'd be happy with a PR against 0.10-staging and 0.12-staging for inclusion in the next releases there. |
Here is the list of ciphers to be disabled by Each of them can be classified to
I think that they have no longer reasons to be supported for current use. I will submit a PR for v0.12 soon.
|
Yeah, I agree, unless @nodejs/crypto or @nodejs/lts have objections I'd like us to move forward with removing these from 0.10 and 0.12 and v4. As I said above, I'm happy for them to be considered a bugfix on top of the 1.0.1s ad 1.0.2g upgrades where they should have been disabled, negating the need for semver-minor in v4. Even with my normally conservative approach to LTS changes, I find it very difficult to imagine that any of the above ciphers listed by @shigeki have any reason for being enabled in a Node stack, particularly a v4 one where presumably the user is at least putting in some effort to be "modern". |
I'm fine with disabling them in a patch release. Realistically, no one in their right mind is using those ciphers. |
+1 from me. |
+1 from me |
+1. SGTM
|
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: nodejs#5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: nodejs#5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add AES128-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Thanks for all your agreements. The fixes were landed in v0.12-staging and v0.10-staging. |
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Notable changes: * npm: Upgrade to v2.15.1. (Forrest L Norvell) * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712
Notable changes: * npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712
Notable changes: * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5967
Notable changes: * npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5968
Notable changes: * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5967
Notable changes: * npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5968
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: nodejs/node#5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: nodejs/node#5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Notable changes: * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. (Forrest L Norvell) nodejs/node#5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) nodejs/node#5712 PR-URL: nodejs/node#5967
OpenSSL-1.0.1s and 1.0.2g disables EXPORT and LOW ciphers in openssl/openssl@abd5d8f .
We missed to add
OPENSSL_NO_WEAK_SSL_CIPHERS
at the last upgrading so I would like to add it to config. They are weak ciphers so that they are not included in the default cipher list.I would like to add this without adding new command line flag even it leads some incpompatibilies because using them is too unsafe like SSLv2.
Ref: nodejs/node#5630
The text was updated successfully, but these errors were encountered: