diff options
-rw-r--r-- | doc/api/cli.md | 16 | ||||
-rw-r--r-- | doc/api/tls.md | 3 | ||||
-rw-r--r-- | doc/node.1 | 8 | ||||
-rw-r--r-- | src/node_crypto.cc | 8 | ||||
-rw-r--r-- | src/node_options.cc | 11 | ||||
-rw-r--r-- | src/node_options.h | 5 | ||||
-rw-r--r-- | test/parallel/test-https-agent-additional-options.js | 3 | ||||
-rw-r--r-- | test/parallel/test-https-agent-session-eviction.js | 1 | ||||
-rw-r--r-- | test/parallel/test-process-env-allowed-flags.js | 3 | ||||
-rw-r--r-- | test/parallel/test-tls-getprotocol.js | 1 | ||||
-rw-r--r-- | test/parallel/test-tls-session-cache.js | 3 |
11 files changed, 57 insertions, 5 deletions
diff --git a/doc/api/cli.md b/doc/api/cli.md index 29f3360dda..723e849d4e 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -342,6 +342,22 @@ added: v4.0.0 Specify an alternative default TLS cipher list. Requires Node.js to be built with crypto support (default). +### `--tls-v1.0` +<!-- YAML +added: REPLACEME +--> + +Enable TLSv1.0. This should only be used for compatibility with old TLS +clients or servers. + +### `--tls-v1.1` +<!-- YAML +added: REPLACEME +--> + +Enable TLSv1.1. This should only be used for compatibility with old TLS +clients or servers. + ### `--trace-deprecation` <!-- YAML added: v0.8.0 diff --git a/doc/api/tls.md b/doc/api/tls.md index 7440dfa762..8380353934 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1102,7 +1102,8 @@ changes: [OpenSSL Options][]. * `secureProtocol` {string} SSL method to use. The possible values are listed as [SSL_METHODS][], use the function names as strings. For example, - `'TLSv1_2_method'` to force TLS version 1.2. **Default:** `'TLS_method'`. + `'TLSv1_2_method'` to force TLS version 1.2. + **Default:** `'TLSv1_2_method'`. * `sessionIdContext` {string} Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients. diff --git a/doc/node.1 b/doc/node.1 index b8144f4ebb..52e307a6d6 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -183,6 +183,14 @@ Specify process.title on startup. Specify an alternative default TLS cipher list. Requires Node.js to be built with crypto support. (Default) . +.It Fl -tls-v1.0 +Enable TLSv1.0. This should only be used for compatibility with old TLS +clients or servers. +. +.It Fl -tls-v1.1 +Enable TLSv1.1. This should only be used for compatibility with old TLS +clients or servers. +. .It Fl -trace-deprecation Print stack traces for deprecations. . diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 3c68aea9bb..f34c37c7db 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -396,10 +396,13 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); - int min_version = 0; + int min_version = TLS1_2_VERSION; int max_version = 0; const SSL_METHOD* method = TLS_method(); + if (env->options()->tls_v1_1) min_version = TLS1_1_VERSION; + if (env->options()->tls_v1_0) min_version = TLS1_VERSION; + if (args.Length() == 1 && args[0]->IsString()) { const node::Utf8Value sslmethod(env->isolate(), args[0]); @@ -425,6 +428,9 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { method = TLS_server_method(); } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) { method = TLS_client_method(); + } else if (strcmp(*sslmethod, "TLS_method") == 0) { + min_version = 0; + max_version = 0; } else if (strcmp(*sslmethod, "TLSv1_method") == 0) { min_version = TLS1_VERSION; max_version = TLS1_VERSION; diff --git a/src/node_options.cc b/src/node_options.cc index 98beb9f4c6..5dc6779bc4 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -189,6 +189,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { AddOption("--napi-modules", "", NoOp{}, kAllowedInEnvironment); +#if HAVE_OPENSSL + AddOption("--tls-v1.0", + "enable TLSv1.0", + &EnvironmentOptions::tls_v1_0, + kAllowedInEnvironment); + AddOption("--tls-v1.1", + "enable TLSv1.1", + &EnvironmentOptions::tls_v1_1, + kAllowedInEnvironment); +#endif + Insert(&DebugOptionsParser::instance, &EnvironmentOptions::get_debug_options); } diff --git a/src/node_options.h b/src/node_options.h index 8c71881e64..8e9ea6304e 100644 --- a/src/node_options.h +++ b/src/node_options.h @@ -92,6 +92,11 @@ class EnvironmentOptions : public Options { bool print_eval = false; bool force_repl = false; +#if HAVE_OPENSSL + bool tls_v1_0 = false; + bool tls_v1_1 = false; +#endif + std::vector<std::string> preload_modules; std::vector<std::string> user_argv; diff --git a/test/parallel/test-https-agent-additional-options.js b/test/parallel/test-https-agent-additional-options.js index eaa6ea710e..1bbff96001 100644 --- a/test/parallel/test-https-agent-additional-options.js +++ b/test/parallel/test-https-agent-additional-options.js @@ -1,3 +1,4 @@ +// Flags: --tls-v1.1 'use strict'; const common = require('../common'); if (!common.hasCrypto) @@ -34,7 +35,7 @@ const updatedValues = new Map([ ['ecdhCurve', 'secp384r1'], ['honorCipherOrder', true], ['secureOptions', crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE], - ['secureProtocol', 'TLSv1_method'], + ['secureProtocol', 'TLSv1_1_method'], ['sessionIdContext', 'sessionIdContext'], ]); diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js index cf6a1341c1..785f4737bd 100644 --- a/test/parallel/test-https-agent-session-eviction.js +++ b/test/parallel/test-https-agent-session-eviction.js @@ -1,3 +1,4 @@ +// Flags: --tls-v1.0 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-process-env-allowed-flags.js b/test/parallel/test-process-env-allowed-flags.js index ddd8d894ea..13bc8a4a01 100644 --- a/test/parallel/test-process-env-allowed-flags.js +++ b/test/parallel/test-process-env-allowed-flags.js @@ -51,7 +51,8 @@ require('../common'); // assert all "canonical" flags begin with dash(es) { process.allowedNodeEnvironmentFlags.forEach((flag) => { - assert(/^--?[a-z8_-]+$/.test(flag), `Unexpected format for flag ${flag}`); + assert(/^--?[a-z0-9._-]+$/.test(flag), + `Unexpected format for flag ${flag}`); }); } diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js index bf75eb8a39..20018241e3 100644 --- a/test/parallel/test-tls-getprotocol.js +++ b/test/parallel/test-tls-getprotocol.js @@ -17,6 +17,7 @@ const clientConfigs = [ ]; const serverConfig = { + secureProtocol: 'TLS_method', key: fixtures.readSync('/keys/agent2-key.pem'), cert: fixtures.readSync('/keys/agent2-cert.pem') }; diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js index 55dd92e81d..2a74be0521 100644 --- a/test/parallel/test-tls-session-cache.js +++ b/test/parallel/test-tls-session-cache.js @@ -48,7 +48,8 @@ function doTest(testOptions, callback) { cert, ca: [cert], requestCert: true, - rejectUnauthorized: false + rejectUnauthorized: false, + secureProtocol: 'TLS_method', }; let requestCount = 0; let resumeCount = 0; |