From d60a061bb5e67fbbf3fe6eae88993f2e7853575e Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Thu, 3 Mar 2016 17:09:36 +0900 Subject: [PATCH] src, doc: remove SSLv2 constants and descriptions Constants and doc descriptions related to SSLv2 are no longer needed. Fixes: https://github.com/nodejs/node/pull/5529 --- doc/api/tls.markdown | 20 ++++++++------------ doc/node.1 | 3 --- src/node_constants.cc | 8 -------- 3 files changed, 8 insertions(+), 23 deletions(-) diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index fbd97e88a650aa..c6f6a6746bb2fd 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -40,24 +40,23 @@ To create .pfx or .p12, do this: ## Protocol support -Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these +Node.js is compiled with SSLv3 protocol support by default, but these protocols are **disabled**. They are considered insecure and could be easily compromised as was shown by [CVE-2014-3566][]. However, in some situations, it may cause problems with legacy clients/servers (such as Internet Explorer 6). -If you wish to enable SSLv2 or SSLv3, run node with the `--enable-ssl2` or -`--enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and -SSLv3 will not be compiled in by default. +If you wish to enable SSLv3, run node with the `--enable-ssl3` flag +respectively. In future versions of Node.js SSLv3 will not be compiled in by +default. -There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly -specifying `secureProtocol` to `'SSLv3_method'` or `'SSLv2_method'`. +There is a way to force node into using SSLv3 only mode by explicitly +specifying `secureProtocol` to `'SSLv3_method'`. The default protocol method Node.js uses is `SSLv23_method` which would be more accurately named `AutoNegotiate_method`. This method will try and negotiate from the highest level down to whatever the client supports. To provide a secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3 -and SSLv2 by setting the `secureOptions` to be -`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed -`--enable-ssl3`, or `--enable-ssl2`, or `SSLv3_method` as `secureProtocol`). +by setting the `secureOptions` to be `SSL_OP_NO_SSLv3` (again, unless you have +passed `--enable-ssl3`, or `SSLv3_method` as `secureProtocol`). If you have set `secureOptions` to anything, we will not override your options. @@ -172,9 +171,6 @@ automatically set as a listener for the [secureConnection][] event. The - `honorCipherOrder` : When choosing a cipher, use the server's preferences instead of the client preferences. - Note that if SSLv2 is used, the server will send its list of preferences - to the client, and the client chooses the cipher. - Although, this option is disabled by default, it is *recommended* that you use this option in conjunction with the `ciphers` option to mitigate BEAST attacks. diff --git a/doc/node.1 b/doc/node.1 index ab5fa73b27107d..ddeae7d71132ad 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -62,9 +62,6 @@ and servers. --max-stack-size=val set max v8 stack size (bytes) - --enable-ssl2 enable ssl2 in crypto, tls, and https - modules - --enable-ssl3 enable ssl3 in crypto, tls, and https modules diff --git a/src/node_constants.cc b/src/node_constants.cc index 863a7c6ed93db5..492ba65681d93f 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc @@ -904,10 +904,6 @@ void DefineConstants(Handle target) { NODE_DEFINE_CONSTANT(target, SSL_OP_MICROSOFT_SESS_ID_BUG); #endif -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - NODE_DEFINE_CONSTANT(target, SSL_OP_MSIE_SSLV2_RSA_PADDING); -#endif - #ifdef SSL_OP_NETSCAPE_CA_DN_BUG NODE_DEFINE_CONSTANT(target, SSL_OP_NETSCAPE_CA_DN_BUG); #endif @@ -936,10 +932,6 @@ void DefineConstants(Handle target) { NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif -#ifdef SSL_OP_NO_SSLv2 - NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SSLv2); -#endif - #ifdef SSL_OP_NO_SSLv3 NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SSLv3); #endif