diff options
| author | Sam Roberts <vieuxtech@gmail.com> | 2018-05-06 13:52:34 +0900 |
|---|---|---|
| committer | Sam Roberts <vieuxtech@gmail.com> | 2018-11-22 09:14:58 -0800 |
| commit | f512f5ea138fe86e47c0179d5733044daf6f4fe6 (patch) | |
| tree | 944745196104118f057d4e0834b62422cf72480f /lib/_tls_common.js | |
| parent | 160ac0f32513337214dc5a4cdb1fa8de3c2ed14c (diff) | |
| download | android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.gz android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.bz2 android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.zip | |
tls: add min/max protocol version options
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'lib/_tls_common.js')
| -rw-r--r-- | lib/_tls_common.js | 39 |
1 files changed, 32 insertions, 7 deletions
diff --git a/lib/_tls_common.js b/lib/_tls_common.js index 4028b02be2..7ddb0d4757 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -26,22 +26,46 @@ const { isArrayBufferView } = require('internal/util/types'); const tls = require('tls'); const { ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED, - ERR_INVALID_ARG_TYPE + ERR_INVALID_ARG_TYPE, + ERR_TLS_INVALID_PROTOCOL_VERSION, + ERR_TLS_PROTOCOL_VERSION_CONFLICT, } = require('internal/errors').codes; - -const { SSL_OP_CIPHER_SERVER_PREFERENCE } = internalBinding('constants').crypto; +const { + SSL_OP_CIPHER_SERVER_PREFERENCE, + TLS1_VERSION, + TLS1_1_VERSION, + TLS1_2_VERSION, +} = internalBinding('constants').crypto; // Lazily loaded from internal/crypto/util. let toBuf = null; +function toV(which, v, def) { + if (v == null) v = def; + if (v === 'TLSv1') return TLS1_VERSION; + if (v === 'TLSv1.1') return TLS1_1_VERSION; + if (v === 'TLSv1.2') return TLS1_2_VERSION; + throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which); +} + const { SecureContext: NativeSecureContext } = internalBinding('crypto'); -function SecureContext(secureProtocol, secureOptions) { +function SecureContext(secureProtocol, secureOptions, minVersion, maxVersion) { if (!(this instanceof SecureContext)) { - return new SecureContext(secureProtocol, secureOptions); + return new SecureContext(secureProtocol, secureOptions, minVersion, + maxVersion); + } + + if (secureProtocol) { + if (minVersion != null) + throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(minVersion, secureProtocol); + if (maxVersion != null) + throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(maxVersion, secureProtocol); } this.context = new NativeSecureContext(); - this.context.init(secureProtocol); + this.context.init(secureProtocol, + toV('minimum', minVersion, tls.DEFAULT_MIN_VERSION), + toV('maximum', maxVersion, tls.DEFAULT_MAX_VERSION)); if (secureOptions) this.context.setOptions(secureOptions); } @@ -66,7 +90,8 @@ exports.createSecureContext = function createSecureContext(options) { if (options.honorCipherOrder) secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; - const c = new SecureContext(options.secureProtocol, secureOptions); + const c = new SecureContext(options.secureProtocol, secureOptions, + options.minVersion, options.maxVersion); var i; var val; |