diff options
author | Roga Pria Sembada <rogaps@gmail.com> | 2017-09-05 01:49:28 +0700 |
---|---|---|
committer | James M Snell <jasnell@gmail.com> | 2017-09-20 01:16:28 -0700 |
commit | 873e5bd0b4c07f3ff983e683d3095f4327421a4f (patch) | |
tree | 100bd021ec469972c8392d646592164dbba64c85 /doc/api/tls.md | |
parent | 3c65a83ac5c98b778ac91c64cb99a1a775c91c37 (diff) | |
download | android-node-v8-873e5bd0b4c07f3ff983e683d3095f4327421a4f.tar.gz android-node-v8-873e5bd0b4c07f3ff983e683d3095f4327421a4f.tar.bz2 android-node-v8-873e5bd0b4c07f3ff983e683d3095f4327421a4f.zip |
crypto: support multiple ECDH curves and auto
Using SSL_CTX_set1_curves_list() (OpenSSL 1.0.2+), this allows to set
colon separated ECDH curve names in SecureContext's ecdhCurve option.
The option can also be set to "auto" to select the curve automatically
from list built in OpenSSL by enabling SSL_CTX_set_ecdh_auto()
(OpenSSL 1.0.2+).
PR-URL: https://github.com/nodejs/node/pull/15206
Ref: https://github.com/nodejs/node/issues/15054
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Diffstat (limited to 'doc/api/tls.md')
-rw-r--r-- | doc/api/tls.md | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/doc/api/tls.md b/doc/api/tls.md index ebcf85438f..9979895a75 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -101,8 +101,8 @@ openssl dhparam -outform PEM -out dhparam.pem 2048 If using Perfect Forward Secrecy using `ECDHE`, Diffie-Hellman parameters are not required and a default ECDHE curve will be used. The `ecdhCurve` property -can be used when creating a TLS Server to specify the name of an alternative -curve to use, see [`tls.createServer()`] for more info. +can be used when creating a TLS Server to specify the list of names of supported +curves to use, see [`tls.createServer()`] for more info. ### ALPN, NPN and SNI @@ -984,11 +984,13 @@ changes: preferences instead of the client's. When `true`, causes `SSL_OP_CIPHER_SERVER_PREFERENCE` to be set in `secureOptions`, see [OpenSSL Options][] for more information. - * `ecdhCurve` {string} A string describing a named curve to use for ECDH key - agreement or `false` to disable ECDH. Defaults to - [`tls.DEFAULT_ECDH_CURVE`]. Use [`crypto.getCurves()`][] to obtain a list - of available curve names. On recent releases, `openssl ecparam -list_curves` - will also display the name and description of each available elliptic curve. + * `ecdhCurve` {string} A string describing a named curve or a colon separated + list of curve NIDs or names, for example `P-521:P-384:P-256`, to use for + ECDH key agreement, or `false` to disable ECDH. Set to `auto` to select the + curve automatically. Defaults to [`tls.DEFAULT_ECDH_CURVE`]. Use + [`crypto.getCurves()`][] to obtain a list of available curve names. On + recent releases, `openssl ecparam -list_curves` will also display the name + and description of each available elliptic curve. * `dhparam` {string|Buffer} Diffie Hellman parameters, required for [Perfect Forward Secrecy][]. Use `openssl dhparam` to create the parameters. The key length must be greater than or equal to 1024 bits, otherwise an |