-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Externalise tls.DEFAULT_CIPHERS please! #46462
Comments
When you say "externalise" you mean "document"? PR welcome, I suppose.
Wouldn't you need to do that anyway as good engineering practice? |
I'll see if I can find the right place to chance for a PR :-) I just wanted to check it wouldn't cause problems, like "no, don't do that, if people start using that variable it'll cause them to do this other Bad Thing". Yes, we review approximately every 3 months which is more often than we (currently) rebuild node.js, though this may change. I'd also like to be able to handle the case where the customer provides the node.js instance so being able to handle it from within the JS would be nice! Right, I'll look at that PR then, cheers. |
The DEFAULT_CIPHERS already exists, this change shows how to use it. Fixes: nodejs#46462
What is the problem this feature will solve?
We would like to modify the default ciphers on startup, unless the user has overridden with
--tls-cipher-list
. So for example on startup, we'll comparetls.DEFAULT_CIPHERS
againstcrypto.constants.defaultCoreCipherList
and if they're the same (the user hasn't overridden on command line) then we might want toto remove some older / weaker ciphers.
This also means we can customise the modification to remove more things, but still get the benefit of any new, stronger ciphers added.
What is the feature you are proposing to solve the problem?
We can do it today using the above method, but because
tls.DEFAULT_CIPHERS
isn't documented it's implied that you may remove it in the future, I'm asking for it to be documented.What alternatives have you considered?
We could build and set
crypto.constants.defaultCoreCipherList
ourselves, but when we then upgrade we would need to re-review the cipher list to add in any new ciphers to our "blessed" list. Using the above method is more dynamic and easier to change (i.e. we don't need to rebuild).The text was updated successfully, but these errors were encountered: