From 31dadd2007cd4e9979e22b837459150467570508 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 21 Oct 2017 13:29:18 -0400 Subject: [PATCH] crypto: deprecate {ecdhCurve: false} This doesn't work in OpenSSL 1.1.0. Per discussion on the PR, it is preferable to just deprecate this setting. Deprecate it and skip the test in OpenSSL 1.1.0. PR-URL: https://github.com/nodejs/node/pull/16130 Reviewed-By: Ben Noordhuis Reviewed-By: Rod Vagg --- doc/api/deprecations.md | 10 ++++++++++ lib/_tls_common.js | 12 ++++++++++++ test/parallel/test-tls-ecdh-disable.js | 8 ++++++++ 3 files changed, 30 insertions(+) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index adfb3305268df0..b8170f1e440309 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -737,6 +737,16 @@ Type: Runtime internal mechanics of the `REPLServer` itself, and is therefore not necessary in user space. + +### DEP0083: Disabling ECDH by setting ecdhCurve to false + +Type: Runtime + +The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could +be set to `false` to disable ECDH entirely on the server only. This mode is +deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with +the client. Use the `ciphers` parameter instead. + [`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size [`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array diff --git a/lib/_tls_common.js b/lib/_tls_common.js index 4196cc084c86c4..75eb6a2ec53449 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -65,6 +65,16 @@ function validateKeyCert(value, type) { exports.SecureContext = SecureContext; +function ecdhCurveWarning() { + if (ecdhCurveWarning.emitted) return; + process.emitWarning('{ ecdhCurve: false } is deprecated.', + 'DeprecationWarning', + 'DEP0083'); + ecdhCurveWarning.emitted = true; +} +ecdhCurveWarning.emitted = false; + + exports.createSecureContext = function createSecureContext(options, context) { if (!options) options = {}; @@ -140,6 +150,8 @@ exports.createSecureContext = function createSecureContext(options, context) { c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE); else if (options.ecdhCurve) c.context.setECDHCurve(options.ecdhCurve); + else + ecdhCurveWarning(); if (options.dhparam) { const warning = c.context.setDHParam(options.dhparam); diff --git a/test/parallel/test-tls-ecdh-disable.js b/test/parallel/test-tls-ecdh-disable.js index 72b51771c87280..af97fbfcdd0492 100644 --- a/test/parallel/test-tls-ecdh-disable.js +++ b/test/parallel/test-tls-ecdh-disable.js @@ -31,6 +31,11 @@ if (!common.hasCrypto) if (!common.opensslCli) common.skip('missing openssl-cli'); +const OPENSSL_VERSION_NUMBER = + require('crypto').constants.OPENSSL_VERSION_NUMBER; +if (OPENSSL_VERSION_NUMBER >= 0x10100000) + common.skip('false ecdhCurve not supported in OpenSSL 1.1.0'); + const assert = require('assert'); const tls = require('tls'); const exec = require('child_process').exec; @@ -42,6 +47,9 @@ const options = { ecdhCurve: false }; +common.expectWarning('DeprecationWarning', + '{ ecdhCurve: false } is deprecated.'); + const server = tls.createServer(options, common.mustNotCall()); server.listen(0, '127.0.0.1', common.mustCall(function() {