diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2018-11-15 15:51:55 -0800 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2018-11-19 11:21:13 -0800 |
commit | 43273262e5f07a80cecf2cef6ac89ca1719821fb (patch) | |
tree | ec3aed1a1f82e16cfd459a5f87539f2f6ccc4cce /doc | |
parent | 54b4beb506dc9b830f21442c68a0be8be58a2ef8 (diff) | |
download | android-node-v8-43273262e5f07a80cecf2cef6ac89ca1719821fb.tar.gz android-node-v8-43273262e5f07a80cecf2cef6ac89ca1719821fb.tar.bz2 android-node-v8-43273262e5f07a80cecf2cef6ac89ca1719821fb.zip |
doc: describe secureProtocol and CLI interaction
Cross-reference the secureProtocol docs and the CLI docs for --tls-v1.0
and --tls-v1.1 and describe relationship. Make clear that --tls-v1.0
enables TLSv1.0 and TLSv1.1.
PR-URL: https://github.com/nodejs/node/pull/24386
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/api/cli.md | 9 | ||||
-rw-r--r-- | doc/api/tls.md | 13 | ||||
-rw-r--r-- | doc/node.1 | 8 |
3 files changed, 18 insertions, 12 deletions
diff --git a/doc/api/cli.md b/doc/api/cli.md index 209f8bf05a..2a3debd1b9 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -347,16 +347,16 @@ with crypto support (default). added: REPLACEME --> -Enable TLSv1.0. This should only be used for compatibility with old TLS -clients or servers. +Enable TLSv1.0 and greater in default [secureProtocol][]. Use for compatibility +with old TLS clients or servers. ### `--tls-v1.1` <!-- YAML added: REPLACEME --> -Enable TLSv1.1. This should only be used for compatibility with old TLS -clients or servers. +Enable TLSv1.1 and greater in default [secureProtocol][]. Use for compatibility +with old TLS clients or servers. ### `--trace-deprecation` <!-- YAML @@ -787,3 +787,4 @@ greater than `4` (its current default value). For more information, see the [experimental ECMAScript Module]: esm.html#esm_loader_hooks [libuv threadpool documentation]: http://docs.libuv.org/en/latest/threadpool.html [remote code execution]: https://www.owasp.org/index.php/Code_Injection +[secureProtocol]: tls.html#tls_tls_createsecurecontext_options diff --git a/doc/api/tls.md b/doc/api/tls.md index 82dfbe2019..5655f21bd6 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1118,10 +1118,15 @@ changes: which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the `SSL_OP_*` options from [OpenSSL Options][]. - * `secureProtocol` {string} SSL method to use. The possible values are listed - as [SSL_METHODS][], use the function names as strings. For example, - `'TLSv1_2_method'` to force TLS version 1.2. - **Default:** `'TLSv1_2_method'`. + * `secureProtocol` {string} The TLS protocol version to use. The possible + values are listed as [SSL_METHODS][], use the function names as strings. For + example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'` + to allow any TLS protocol version. It is not recommended to use TLS versions + less than 1.2, but it may be required for interoperability. **Default:** + `'TLSv1_2_method'`, unless changed using CLI options. Using the `--tlsv1.0` + CLI option is like `'TLS_method'` except protocols earlier than TLSv1.0 are + not allowed, and using the `--tlsv1.1` CLI option is like `'TLS_method'` + except that protocols earlier than TLSv1.1 are not allowed. * `sessionIdContext` {string} Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients. diff --git a/doc/node.1 b/doc/node.1 index 52e307a6d6..d3c66d08cf 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -184,12 +184,12 @@ Specify an alternative default TLS cipher list. Requires Node.js to be built with crypto support. (Default) . .It Fl -tls-v1.0 -Enable TLSv1.0. This should only be used for compatibility with old TLS -clients or servers. +Enable TLSv1.0 and greater in default secureProtocol. Use for compatibility +with old TLS clients or servers. . .It Fl -tls-v1.1 -Enable TLSv1.1. This should only be used for compatibility with old TLS -clients or servers. +Enable TLSv1.1 and greater in default secureProtocol. Use for compatibility +with old TLS clients or servers. . .It Fl -trace-deprecation Print stack traces for deprecations. |