diff options
author | David Benjamin <davidben@google.com> | 2017-09-23 00:35:33 -0400 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2017-11-11 20:42:49 +1100 |
commit | 5fe81c8aff03261f6443580dbc08f608013718c6 (patch) | |
tree | 3e2c18c42182d9cf6550881e623939dd68493249 /doc/api/tls.md | |
parent | 594ef761d1c583a8ef6e49876a4a57aec4b62394 (diff) | |
download | android-node-v8-5fe81c8aff03261f6443580dbc08f608013718c6.tar.gz android-node-v8-5fe81c8aff03261f6443580dbc08f608013718c6.tar.bz2 android-node-v8-5fe81c8aff03261f6443580dbc08f608013718c6.zip |
crypto: hard-code tlsSocket.getCipher().version
This aligns the documentation with reality. This API never did what Node
claims it did.
The SSL_CIPHER_get_version function just isn't useful. In OpenSSL 1.0.2,
it always returned the string "TLSv1/SSLv3" for anything but SSLv2
ciphers, which Node does not support. Note how test-tls-multi-pfx.js
claims that ECDHE-ECDSA-AES256-GCM-SHA384 was added in TLSv1/SSLv3 which
is not true. That cipher is new as of TLS 1.2. The OpenSSL 1.0.2
implementation is:
char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
{
int i;
if (c == NULL)
return ("(NONE)");
i = (int)(c->id >> 24L);
if (i == 3)
return ("TLSv1/SSLv3");
else if (i == 2)
return ("SSLv2");
else
return ("unknown");
}
In OpenSSL 1.1.0, SSL_CIPHER_get_version changed to actually behave as
Node documented it, but this changes the semantics of the function and
breaks tests. The cipher's minimum protocol version is not a useful
notion to return to the caller here, so just hardcode the string at
"TLSv1/SSLv3" and document it as legacy.
PR-URL: https://github.com/nodejs/node/pull/16130
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'doc/api/tls.md')
-rw-r--r-- | doc/api/tls.md | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/doc/api/tls.md b/doc/api/tls.md index 26d7e157aa..a19a78dc9a 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -558,12 +558,12 @@ Always returns `true`. This may be used to distinguish TLS sockets from regular added: v0.11.4 --> -Returns an object representing the cipher name and the SSL/TLS protocol version -that first defined the cipher. +Returns an object representing the cipher name. The `version` key is a legacy +field which always contains the value `'TLSv1/SSLv3'`. For example: `{ name: 'AES256-SHA', version: 'TLSv1/SSLv3' }` -See `SSL_CIPHER_get_name()` and `SSL_CIPHER_get_version()` in +See `SSL_CIPHER_get_name()` in https://www.openssl.org/docs/man1.0.2/ssl/SSL_CIPHER_get_name.html for more information. |