From 20cb91d5c2538ba940e80543fb3ae3f703e929ab Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Mon, 14 Mar 2016 15:28:27 +0900 Subject: [PATCH 1/2] deps: Disable EXPORT and LOW ciphers in openssl openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: https://github.com/nodejs/LTS/issues/85 --- deps/openssl/config/opensslconf.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deps/openssl/config/opensslconf.h b/deps/openssl/config/opensslconf.h index 508b1b2da71850..64875ef0fa1fa5 100644 --- a/deps/openssl/config/opensslconf.h +++ b/deps/openssl/config/opensslconf.h @@ -44,6 +44,9 @@ # ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE # endif +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +# define OPENSSL_NO_WEAK_SSL_CIPHERS +#endif #endif /* OPENSSL_DOING_MAKEDEPEND */ #ifndef OPENSSL_THREADS @@ -112,6 +115,9 @@ # if defined(OPENSSL_NO_MDC2) && !defined(NO_MDC2) # define NO_MDC2 # endif +# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS) +# define NO_WEAK_SSL_CIPHERS +# endif #endif /* crypto/opensslconf.h.in */ From c90797c373661336380ed7fc5cf0841c660962dc Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Tue, 15 Mar 2016 13:10:33 +0900 Subject: [PATCH 2/2] test: change tls tests not to use LOW cipher DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. --- deps/openssl/config/opensslconf.h | 6 ++--- ...test-tls-honorcipherorder-secureOptions.js | 22 +++++++++--------- test/simple/test-tls-honorcipherorder.js | 23 +++++++------------ 3 files changed, 22 insertions(+), 29 deletions(-) diff --git a/deps/openssl/config/opensslconf.h b/deps/openssl/config/opensslconf.h index 64875ef0fa1fa5..5e5765d5b3ff47 100644 --- a/deps/openssl/config/opensslconf.h +++ b/deps/openssl/config/opensslconf.h @@ -44,9 +44,9 @@ # ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE # endif -#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS -# define OPENSSL_NO_WEAK_SSL_CIPHERS -#endif +# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +# define OPENSSL_NO_WEAK_SSL_CIPHERS +# endif #endif /* OPENSSL_DOING_MAKEDEPEND */ #ifndef OPENSSL_THREADS diff --git a/test/simple/test-tls-honorcipherorder-secureOptions.js b/test/simple/test-tls-honorcipherorder-secureOptions.js index e70cfb1ef4a43f..932ffe25b494a6 100644 --- a/test/simple/test-tls-honorcipherorder-secureOptions.js +++ b/test/simple/test-tls-honorcipherorder-secureOptions.js @@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb) secureProtocol: SSL_Method, key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), - ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA', + ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', secureOptions: secureOptions, honorCipherOrder: !!honorCipherOrder }; @@ -95,37 +95,37 @@ test1(); function test1() { // Client has the preference of cipher suites by default - test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2); + test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2); } function test2() { // Server has the preference of cipher suites where AES256-SHA is in // the first. - test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3); + test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3); } function test3() { - // Server has the preference of cipher suites. RC4-SHA is given - // higher priority over DES-CBC-SHA among client cipher suites. - test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4); + // Server has the preference of cipher suites. AES256-SHA is given + // higher priority over RC4-SHA among client cipher suites. + test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4); } function test4() { // As client has only one cipher, server has no choice in regardless // of honorCipherOrder. - test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5); + test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5); } function test5() { test(false, - 'DES-CBC-SHA', - 'DES-CBC-SHA', + 'RC4-SHA', + 'RC4-SHA', process.binding('constants').SSL_OP_SINGLE_DH_USE, test6); } function test6() { test(true, - 'DES-CBC-SHA', - 'DES-CBC-SHA', + 'RC4-SHA', + 'RC4-SHA', process.binding('constants').SSL_OP_SINGLE_DH_USE); } diff --git a/test/simple/test-tls-honorcipherorder.js b/test/simple/test-tls-honorcipherorder.js index 6b24d75146e20a..e0e1e70d380438 100644 --- a/test/simple/test-tls-honorcipherorder.js +++ b/test/simple/test-tls-honorcipherorder.js @@ -30,7 +30,7 @@ var SSL_Method = 'TLSv1_method'; var localhost = '127.0.0.1'; process.on('exit', function() { - assert.equal(nconns, 6); + assert.equal(nconns, 5); }); function test(honorCipherOrder, clientCipher, expectedCipher, cb) { @@ -38,7 +38,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) { secureProtocol: SSL_Method, key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), - ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', + ciphers: 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', honorCipherOrder: !!honorCipherOrder }; @@ -75,31 +75,24 @@ function test1() { } function test2() { - // Server has the preference of cipher suites where DES-CBC-SHA is in + // Server has the preference of cipher suites where RC4-SHA is in // the first. - test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3); + test(true, 'AES256-SHA:RC4-SHA', 'RC4-SHA', test3); } function test3() { - // Server has the preference of cipher suites. RC4-SHA is given - // higher priority over DES-CBC-SHA among client cipher suites. - test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4); + // Server has the preference of cipher suites. AES256-SHA is given + // higher priority over ECDHE-RSA-AES256-SHA among client cipher suites. + test(true, 'ECDHE-RSA-AES256-SHA:AES256-SHA', 'AES256-SHA', test4); } function test4() { // As client has only one cipher, server has no choice in regardless // of honorCipherOrder. - test(true, 'RC4-SHA', 'RC4-SHA', test5); + test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', test5); } function test5() { - // Client did not explicitly set ciphers. Ensure that client defaults to - // sane ciphers. Even though server gives top priority to DES-CBC-SHA - // it should not be negotiated because it's not in default client ciphers. - test(true, null, 'AES256-SHA', test6); -} - -function test6() { // Ensure that `tls.DEFAULT_CIPHERS` is used SSL_Method = 'TLSv1_2_method'; tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';