Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10.x backport] TLS1.3 (and dependent PRs) #27432

Closed
wants to merge 21 commits into from
Closed
Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a868ebe
deps: update OpenSSL upgrade process
sam-github Mar 1, 2019
c80bff3
deps: upgrade openssl sources to 1.1.1b
sam-github Apr 25, 2019
63aa831
deps: openssl-1.1.1b no longer packages .gitignore
sam-github Feb 26, 2019
1cea121
deps: add ARM64 Windows support in openssl
shigeki Feb 23, 2019
c2310c7
deps: add s390 asm rules for OpenSSL-1.1.1
shigeki Mar 7, 2018
f54db0b
deps: update archs files for OpenSSL-1.1.1b
sam-github Apr 25, 2019
f47e208
tls: support changing credentials dynamically
cjihrig Oct 13, 2018
5f5d3c9
tls: get the local certificate after tls handshake
sam-github Nov 8, 2018
4a82835
tls: fix initRead socket argument name
sam-github Dec 19, 2018
78b42fc
tls: do not confuse session and session ID
sam-github Dec 19, 2018
a6635b2
src: use consistent names for JSStream
sam-github Dec 19, 2018
ae7c74c
tls: remove unused ocsp extension parsing
sam-github Dec 19, 2018
6b327e5
src: in-source comments and minor TLS cleanups
sam-github Jan 16, 2019
2d25b65
tls: introduce client 'session' event
sam-github Jan 30, 2019
8c7406f
tls: do not free cert in `.getCertificate()`
addaleax Jan 14, 2019
38838af
src: remove unused TLWrap::EnableTrace()
sam-github Jan 31, 2019
d3c7020
src: organize TLSWrap declarations by parent
sam-github Jan 31, 2019
1c3c9f3
tls: don't shadow the tls global with a local
sam-github Jan 31, 2019
750b906
src: const_cast is necessary for 1.1.1, not 0.9.7
sam-github Jan 31, 2019
5febe41
src: refactor SSLError case statement
sam-github Jan 31, 2019
1f65f18
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
sam-github Nov 30, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
sam-github committed Apr 29, 2019

Verified

This commit was signed with the committer’s verified signature.
snyk-bot Snyk bot
commit 1f65f18eea290311ac4db598809361e526b2c0ec
7 changes: 5 additions & 2 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
@@ -1184,6 +1184,9 @@ argument.
added: v0.11.13
changes:
- version: REPLACEME
pr-url: REPLACEME
description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
- version: v11.4.0
pr-url: https://github.com/nodejs/node/pull/24405
description: The `minVersion` and `maxVersion` can be used to restrict
the allowed TLS protocol versions.
@@ -1225,8 +1228,8 @@ changes:
certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be
provided.
For PEM encoded certificates, supported types are "X509 CERTIFICATE", and
"CERTIFICATE".
For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
"X509 CERTIFICATE", and "CERTIFICATE".
* `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
chain should be provided per private key. Each cert chain should consist of
the PEM formatted certificate for a provided private `key`, followed by the
2 changes: 1 addition & 1 deletion src/node_crypto.cc
Original file line number Diff line number Diff line change
@@ -800,7 +800,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
return;

X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
while (X509* x509 = PEM_read_bio_X509(
while (X509* x509 = PEM_read_bio_X509_AUX(
bio.get(), nullptr, NoPasswordCallback, nullptr)) {
if (cert_store == root_cert_store) {
cert_store = NewRootCertStore();
8 changes: 4 additions & 4 deletions test/parallel/test-tls-client-auth.js
Original file line number Diff line number Diff line change
@@ -254,7 +254,7 @@ connect({
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
@@ -269,11 +269,11 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
assert.ifError(err);
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
@@ -288,7 +288,7 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'ECONNRESET');
assert.ifError(err);
return cleanup();
});