Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support both OpenSSL 1.1.0 and 1.0.2 #16130

Closed
wants to merge 26 commits into from
Closed

Support both OpenSSL 1.1.0 and 1.0.2 #16130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
684e25c
crypto: use X509_STORE_CTX_new
davidben Sep 16, 2017
e9e70ba
crypto: make node_crypto_bio 1.1.0-compatible.
davidben Sep 14, 2017
2e11a4b
crypto: estimate kExternalSize based on a build of OpenSSL 1.1.0f.
davidben Sep 16, 2017
f7cc8d4
crypto: remove unnecessary SSLerr calls
davidben Sep 16, 2017
382ffc7
crypto: account for new 1.1.0 SSL APIs
davidben Sep 17, 2017
4b51882
crypto: test DiffieHellman keys work without a public half.
davidben Sep 17, 2017
4db2314
crypto: use RSA and DH accessors.
davidben Sep 17, 2017
17d6752
crypto: no need for locking callbacks in OpenSSL 1.1.0.
davidben Sep 18, 2017
cbf147f
crypto: make CipherBase 1.1.0-compatible
davidben Sep 20, 2017
9947d57
crypto: make Hash 1.1.0-compatible
davidben Sep 22, 2017
95f56be
crypto: make SignBase compatible with OpenSSL 1.1.0
davidben Sep 22, 2017
e2f6b96
crypto: Make Hmac 1.1.0-compatible
davidben Sep 22, 2017
52a4334
crypto: add compatibility logic for "DSS1" and "dss1"
davidben Sep 23, 2017
8b0b970
crypto: hard-code tlsSocket.getCipher().version
davidben Sep 23, 2017
974dd52
test: update test expectations for OpenSSL 1.1.0.
davidben Sep 17, 2017
272fcbc
test: remove sha from test expectations.
davidben Sep 23, 2017
4fc521a
crypto: emulate OpenSSL 1.0.x ticket scheme in 1.1.x
davidben Sep 23, 2017
6b49375
test: test with a larger RSA key
davidben Sep 23, 2017
b98fb15
test: revise test-tls-econnreset
davidben Sep 23, 2017
f913eae
crypto: don't call deprecated ECDH APIs in 1.1.0
davidben Sep 23, 2017
6e1033b
test: configure certs in tests
davidben Sep 23, 2017
af94ddd
test: fix test-https-agent-session-eviction for 1.1.0
davidben Sep 23, 2017
8c432ee
crypto: make ALPN behave the same in 1.0.2 and 1.1.0
davidben Sep 23, 2017
4bdd2b1
crypto: clear some easy SSL_METHOD deprecation warnings
davidben Sep 18, 2017
61f5494
test: fix flakiness in test-http2-create-client-connect
davidben Sep 23, 2017
b1f5264
crypto: deprecate {ecdhCurve: false}.
davidben Oct 21, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions doc/api/deprecations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -737,6 +737,16 @@ Type: Runtime
internal mechanics of the `REPLServer` itself, and is therefore not
necessary in user space.

<a id="DEP0083"></a>
### DEP0083: Disabling ECDH by setting ecdhCurve to false

Type: Runtime

The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could
be set to `false` to disable ECDH entirely on the server only. This mode is
deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with
the client. Use the `ciphers` parameter instead.


[`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
[`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array
Expand Down
6 changes: 3 additions & 3 deletions doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -558,12 +558,12 @@ Always returns `true`. This may be used to distinguish TLS sockets from regular
added: v0.11.4
-->

Returns an object representing the cipher name and the SSL/TLS protocol version
that first defined the cipher.
Returns an object representing the cipher name. The `version` key is a legacy
field which always contains the value `'TLSv1/SSLv3'`.

For example: `{ name: 'AES256-SHA', version: 'TLSv1/SSLv3' }`

See `SSL_CIPHER_get_name()` and `SSL_CIPHER_get_version()` in
See `SSL_CIPHER_get_name()` in
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CIPHER_get_name.html for more
information.

Expand Down
12 changes: 12 additions & 0 deletions lib/_tls_common.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,16 @@ function validateKeyCert(value, type) {
exports.SecureContext = SecureContext;


function ecdhCurveWarning() {
if (ecdhCurveWarning.emitted) return;
process.emitWarning('{ ecdhCurve: false } is deprecated.',
'DeprecationWarning',
'DEP0083');
ecdhCurveWarning.emitted = true;
}
ecdhCurveWarning.emitted = false;


exports.createSecureContext = function createSecureContext(options, context) {
if (!options) options = {};

Expand Down Expand Up @@ -140,6 +150,8 @@ exports.createSecureContext = function createSecureContext(options, context) {
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
else if (options.ecdhCurve)
c.context.setECDHCurve(options.ecdhCurve);
else
ecdhCurveWarning();

if (options.dhparam) {
const warning = c.context.setDHParam(options.dhparam);
Expand Down
4 changes: 4 additions & 0 deletions src/node_constants.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -759,6 +759,10 @@ void DefineSignalConstants(Local<Object> target) {
}

void DefineOpenSSLConstants(Local<Object> target) {
#ifdef OPENSSL_VERSION_NUMBER
NODE_DEFINE_CONSTANT(target, OPENSSL_VERSION_NUMBER);
#endif

#ifdef SSL_OP_ALL
NODE_DEFINE_CONSTANT(target, SSL_OP_ALL);
#endif
Expand Down
Loading