Skip to content

Commit

Permalink
src,build: add --openssl-default-cipher-list
Browse files Browse the repository at this point in the history
This commit adds a configuration option named
openssl-default-cipher-list which takes a colon separated string
specifying ciphers that should be used as the default ciphers instead of
the ones defined in node_constants.

The motivation for this is a use case where Fedora/RHEL would like
to be able to specify a default cipher in the format PROFILE=SYSTEM.
This would enable Fedora/RHEL to have a system wide security level for
all applications.

PR-URL: #33708
Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
Reviewed-By: David Carlier <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
  • Loading branch information
danbev committed Jun 8, 2020
1 parent 111d1e5 commit 7f8e977
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 27 deletions.
10 changes: 10 additions & 0 deletions configure.py
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,11 @@
"e.g. /root/x/y.js will be referenced via require('root/x/y'). "
"Can be used multiple times")

parser.add_option('--openssl-default-cipher-list',
action='store',
dest='openssl_default_cipher_list',
help='Use the specified cipher list as the default cipher list')

parser.add_option("--openssl-no-asm",
action="store_true",
dest="openssl_no_asm",
Expand Down Expand Up @@ -1302,6 +1307,8 @@ def without_ssl_error(option):
without_ssl_error('--openssl-no-asm')
if options.openssl_fips:
without_ssl_error('--openssl-fips')
if options.openssl_default_cipher_list:
without_ssl_error('--openssl-default-cipher-list')
return

if options.use_openssl_ca_store:
Expand All @@ -1311,6 +1318,9 @@ def without_ssl_error(option):
variables['node_without_node_options'] = b(options.without_node_options)
if options.without_node_options:
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']
if options.openssl_default_cipher_list:
variables['openssl_default_cipher_list'] = \
options.openssl_default_cipher_list

if not options.shared_openssl and not options.openssl_no_asm:
is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch']
Expand Down
55 changes: 29 additions & 26 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -269,33 +269,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

## Modifying the Default TLS Cipher suite

Node.js is built with a default suite of enabled and disabled TLS ciphers.
Currently, the default cipher suite is:
Node.js is built with a default suite of enabled and disabled TLS ciphers. This
default cipher list can be configured when building Node.js to allow
distributions to provide their own default list.

```text
TLS_AES_256_GCM_SHA384:
TLS_CHACHA20_POLY1305_SHA256:
TLS_AES_128_GCM_SHA256:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA256:
HIGH:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!SRP:
The following command can be used to show the default cipher suite:
```console
node -p crypto.constants.defaultCoreCipherList | tr ':' '\n'
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA256
HIGH
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!SRP
!CAMELLIA
```

Expand Down
6 changes: 6 additions & 0 deletions node.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -748,6 +748,7 @@

'variables': {
'openssl_system_ca_path%': '',
'openssl_default_cipher_list%': '',
},

'defines': [
Expand All @@ -764,6 +765,11 @@
'msvs_disabled_warnings!': [4244],

'conditions': [
[ 'openssl_default_cipher_list!=""', {
'defines': [
'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"'
]
}],
[ 'error_on_warn=="true"', {
'cflags': ['-Werror'],
'xcode_settings': {
Expand Down
6 changes: 5 additions & 1 deletion src/node_constants.h
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@
#define RSA_PSS_SALTLEN_AUTO -2
#endif

#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST)
#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST
#else
// TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see:
// https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
#define DEFAULT_CIPHER_LIST_CORE \
Expand Down Expand Up @@ -68,7 +71,8 @@
"!PSK:" \
"!SRP:" \
"!CAMELLIA"
#endif
#endif // NODE_OPENSSL_DEFAULT_CIPHER_LIST
#endif // HAVE_OPENSSL

namespace node {

Expand Down

0 comments on commit 7f8e977

Please sign in to comment.