diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2018-05-06 13:52:34 +0900 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2018-11-22 09:14:58 -0800 |
commit | f512f5ea138fe86e47c0179d5733044daf6f4fe6 (patch) | |
tree | 944745196104118f057d4e0834b62422cf72480f /src | |
parent | 160ac0f32513337214dc5a4cdb1fa8de3c2ed14c (diff) | |
download | android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.gz android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.bz2 android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.zip |
tls: add min/max protocol version options
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/node_constants.cc | 4 | ||||
-rw-r--r-- | src/node_crypto.cc | 14 |
2 files changed, 12 insertions, 6 deletions
diff --git a/src/node_constants.cc b/src/node_constants.cc index 3b028b52aa..7530d6d0a3 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc @@ -1237,6 +1237,10 @@ void DefineCryptoConstants(Local<Object> target) { NODE_DEFINE_STRING_CONSTANT(target, "defaultCipherList", per_process_opts->tls_cipher_list.c_str()); + + NODE_DEFINE_CONSTANT(target, TLS1_VERSION); + NODE_DEFINE_CONSTANT(target, TLS1_1_VERSION); + NODE_DEFINE_CONSTANT(target, TLS1_2_VERSION); #endif NODE_DEFINE_CONSTANT(target, INT_MAX); } diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 7e168c6fa4..16d1951ff7 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -405,14 +405,15 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); - int min_version = TLS1_2_VERSION; - int max_version = 0; - const SSL_METHOD* method = TLS_method(); + CHECK_EQ(args.Length(), 3); + CHECK(args[1]->IsInt32()); + CHECK(args[2]->IsInt32()); - if (env->options()->tls_v1_1) min_version = TLS1_1_VERSION; - if (env->options()->tls_v1_0) min_version = TLS1_VERSION; + int min_version = args[1].As<Int32>()->Value(); + int max_version = args[2].As<Int32>()->Value(); + const SSL_METHOD* method = TLS_method(); - if (args.Length() == 1 && args[0]->IsString()) { + if (args[0]->IsString()) { const node::Utf8Value sslmethod(env->isolate(), args[0]); // Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends @@ -509,6 +510,7 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version); SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version); + // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was // exposed in the public API. To retain compatibility, install a callback // which restores the old algorithm. |