Skip to content

Commit

Permalink
tls: disable TLS v1.0 and v1.1 by default
Browse files Browse the repository at this point in the history
Refs: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

PR-URL: #23814
Reviewed-By: Refael Ackermann <[email protected]>
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Rod Vagg <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
  • Loading branch information
bnoordhuis authored and addaleax committed Nov 13, 2018
1 parent fcd7a72 commit 60eca6a
Show file tree
Hide file tree
Showing 11 changed files with 57 additions and 5 deletions.
16 changes: 16 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,22 @@ added: v4.0.0
Specify an alternative default TLS cipher list. Requires Node.js to be built
with crypto support (default).

### `--tls-v1.0`
<!-- YAML
added: REPLACEME
-->

Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.

### `--tls-v1.1`
<!-- YAML
added: REPLACEME
-->

Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.

### `--trace-deprecation`
<!-- YAML
added: v0.8.0
Expand Down
3 changes: 2 additions & 1 deletion doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -1102,7 +1102,8 @@ changes:
[OpenSSL Options][].
* `secureProtocol` {string} SSL method to use. The possible values are listed
as [SSL_METHODS][], use the function names as strings. For example,
`'TLSv1_2_method'` to force TLS version 1.2. **Default:** `'TLS_method'`.
`'TLSv1_2_method'` to force TLS version 1.2.
**Default:** `'TLSv1_2_method'`.
* `sessionIdContext` {string} Opaque identifier used by servers to ensure
session state is not shared between applications. Unused by clients.

Expand Down
8 changes: 8 additions & 0 deletions doc/node.1
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,14 @@ Specify process.title on startup.
Specify an alternative default TLS cipher list.
Requires Node.js to be built with crypto support. (Default)
.
.It Fl -tls-v1.0
Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.
.
.It Fl -tls-v1.1
Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.
.
.It Fl -trace-deprecation
Print stack traces for deprecations.
.
Expand Down
8 changes: 7 additions & 1 deletion src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -396,10 +396,13 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
Environment* env = sc->env();

int min_version = 0;
int min_version = TLS1_2_VERSION;
int max_version = 0;
const SSL_METHOD* method = TLS_method();

if (env->options()->tls_v1_1) min_version = TLS1_1_VERSION;
if (env->options()->tls_v1_0) min_version = TLS1_VERSION;

if (args.Length() == 1 && args[0]->IsString()) {
const node::Utf8Value sslmethod(env->isolate(), args[0]);

Expand All @@ -425,6 +428,9 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
method = TLS_server_method();
} else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) {
method = TLS_client_method();
} else if (strcmp(*sslmethod, "TLS_method") == 0) {
min_version = 0;
max_version = 0;
} else if (strcmp(*sslmethod, "TLSv1_method") == 0) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
Expand Down
11 changes: 11 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

AddOption("--napi-modules", "", NoOp{}, kAllowedInEnvironment);

#if HAVE_OPENSSL
AddOption("--tls-v1.0",
"enable TLSv1.0",
&EnvironmentOptions::tls_v1_0,
kAllowedInEnvironment);
AddOption("--tls-v1.1",
"enable TLSv1.1",
&EnvironmentOptions::tls_v1_1,
kAllowedInEnvironment);
#endif

Insert(&DebugOptionsParser::instance,
&EnvironmentOptions::get_debug_options);
}
Expand Down
5 changes: 5 additions & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,11 @@ class EnvironmentOptions : public Options {
bool print_eval = false;
bool force_repl = false;

#if HAVE_OPENSSL
bool tls_v1_0 = false;
bool tls_v1_1 = false;
#endif

std::vector<std::string> preload_modules;

std::vector<std::string> user_argv;
Expand Down
3 changes: 2 additions & 1 deletion test/parallel/test-https-agent-additional-options.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Flags: --tls-v1.1
'use strict';
const common = require('../common');
if (!common.hasCrypto)
Expand Down Expand Up @@ -34,7 +35,7 @@ const updatedValues = new Map([
['ecdhCurve', 'secp384r1'],
['honorCipherOrder', true],
['secureOptions', crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE],
['secureProtocol', 'TLSv1_method'],
['secureProtocol', 'TLSv1_1_method'],
['sessionIdContext', 'sessionIdContext'],
]);

Expand Down
1 change: 1 addition & 0 deletions test/parallel/test-https-agent-session-eviction.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Flags: --tls-v1.0
'use strict';

const common = require('../common');
Expand Down
3 changes: 2 additions & 1 deletion test/parallel/test-process-env-allowed-flags.js
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ require('../common');
// assert all "canonical" flags begin with dash(es)
{
process.allowedNodeEnvironmentFlags.forEach((flag) => {
assert(/^--?[a-z8_-]+$/.test(flag), `Unexpected format for flag ${flag}`);
assert(/^--?[a-z0-9._-]+$/.test(flag),
`Unexpected format for flag ${flag}`);
});
}

Expand Down
1 change: 1 addition & 0 deletions test/parallel/test-tls-getprotocol.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const clientConfigs = [
];

const serverConfig = {
secureProtocol: 'TLS_method',
key: fixtures.readSync('/keys/agent2-key.pem'),
cert: fixtures.readSync('/keys/agent2-cert.pem')
};
Expand Down
3 changes: 2 additions & 1 deletion test/parallel/test-tls-session-cache.js
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ function doTest(testOptions, callback) {
cert,
ca: [cert],
requestCert: true,
rejectUnauthorized: false
rejectUnauthorized: false,
secureProtocol: 'TLS_method',
};
let requestCount = 0;
let resumeCount = 0;
Expand Down

0 comments on commit 60eca6a

Please sign in to comment.