doc: adding tls.createServer secureOptions section #9340
Conversation
nodejs-github-bot
added
doc
| @@ -1027,6 +1027,11 @@ added: v0.3.2 | |||
| force SSL version 3. The possible values depend on the version of OpenSSL | |||
| installed in the environment and are defined in the constant | |||
| [SSL_METHODS][]. | |||
| * `secureOptions` {number} The options via bitmask affecting the protocol | |||
There was a problem hiding this comment.
A bitmask affecting the protocol....
Please describe the default value/behaviour when not specified.
There was a problem hiding this comment.
I'm having trouble determining how to specify the default behavior because I'm unsure whether we want to disclose the underlying implementation to the user. The setting itself doesn't really default to anything; however, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 are always set on the SSL context; and _tls_common.createSecureContext is adding SSL_OP_CIPHER_SERVER_PREFERENCE if the honorCipherOrder options is true. Is this something that we wish to describe to the user in this section?
There was a problem hiding this comment.
I don't see SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 always set on the SSL context, can you reference where?
Please review https://github.com/nodejs/node/pull/9800/files, I think I document this.
There was a problem hiding this comment.
The SecureContext itself appears to always be setting these here: https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L398
I have no issues with your PR, and think the documentation you did is sufficient. Feel free to close this one.
| behavior of SSL. This can be used to limit the versions of SSL/TLS, e.q. | ||
| `crypto.constants.SSL_OP_NO_TLSv1 | crypto.constants.SSL_OP_NO_TLSv1_1` to | ||
| deny TLSv1 and TLSv1.1 connections. For more details, see | ||
| [Crypto Constants][]. |
There was a problem hiding this comment.
There are no more details in the Crypto Constants section! There are actually three sections, and I can't tell which of the options from which of the sections are actually allowed to be specified as a secureOption. Probably there should be a specific section for the options that are allowed in secureOptions, unless they all are? Or can the options that are valid for secureOptions be used in other places?
|
Definitely needs docs, two thumbs up for that, but these docs aren't quite complete enough to describe how to use the |
|
ping @kobelb |
|
@silverwind I'll try and get something together to address the comments early next week |
kobelb
force-pushed
the
tls-secure-options
branch
from
43f4705
to
59538eb
Compare
|
There's now another PR that adds this option: 32c15c9 @sam-github what shall we do with this one? |
|
Author agrees this can be closed #9340 (comment) |
Checklist
Affected core subsystem(s)
doc
Description of change
Adding documentation for the tls.createServer secureOptions.
Resolves: #9025