diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2018-05-06 13:52:34 +0900 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2018-11-22 09:14:58 -0800 |
commit | f512f5ea138fe86e47c0179d5733044daf6f4fe6 (patch) | |
tree | 944745196104118f057d4e0834b62422cf72480f /doc/api/tls.md | |
parent | 160ac0f32513337214dc5a4cdb1fa8de3c2ed14c (diff) | |
download | android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.gz android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.bz2 android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.zip |
tls: add min/max protocol version options
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'doc/api/tls.md')
-rw-r--r-- | doc/api/tls.md | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/doc/api/tls.md b/doc/api/tls.md index fe3282f97e..45d7fbfa2b 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1070,6 +1070,10 @@ changes: pr-url: https://github.com/nodejs/node/pull/4099 description: The `ca` option can now be a single string containing multiple CA certificates. + - version: REPLACEME + pr-url: REPLACEME + description: The `minVersion` and `maxVersion` can be used to restrict + the allowed TLS protocol versions. --> * `options` {Object} @@ -1130,6 +1134,16 @@ changes: passphrase: <string>]}`. The object form can only occur in an array. `object.passphrase` is optional. Encrypted keys will be decrypted with `object.passphrase` if provided, or `options.passphrase` if it is not. + * `maxVersion` {string} Optionally set the maximum TLS version to allow. One + of `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the + `secureProtocol` option, use one or the other. **Default:** `'TLSv1.2'`. + * `minVersion` {string} Optionally set the minimum TLS version to allow. One + of `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the + `secureProtocol` option, use one or the other. It is not recommended to use + less than TLSv1.2, but it may be required for interoperability. + **Default:** `'TLSv1.2'`, unless changed using CLI options. Using + `--tls-v1.0` changes the default to `'TLSv1'`. Using `--tls-v1.1` changes + the default to `'TLSv1.1'`. * `passphrase` {string} Shared passphrase used for a single private key and/or a PFX. * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded @@ -1150,10 +1164,7 @@ changes: example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'` to allow any TLS protocol version. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. **Default:** - `'TLSv1_2_method'`, unless changed using CLI options. Using the `--tlsv1.0` - CLI option is like `'TLS_method'` except protocols earlier than TLSv1.0 are - not allowed, and using the `--tlsv1.1` CLI option is like `'TLS_method'` - except that protocols earlier than TLSv1.1 are not allowed. + none, see `minVersion`. * `sessionIdContext` {string} Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients. |