Age | Commit message (Collapse) | Author |
|
This introduces TLS1.3 support and makes it the default max protocol,
but also supports CLI/NODE_OPTIONS switches to disable it if necessary.
TLS1.3 is a major update to the TLS protocol, with many security
enhancements. It should be preferred over TLS1.2 whenever possible.
TLS1.3 is different enough that even though the OpenSSL APIs are
technically API/ABI compatible, that when TLS1.3 is negotiated, the
timing of protocol records and of callbacks broke assumptions hard-coded
into the 'tls' module.
This change introduces no API incompatibilities when TLS1.2 is
negotiated. It is the intention that it be backported to current and LTS
release lines with the default maximum TLS protocol reset to 'TLSv1.2'.
This will allow users of those lines to explicitly enable TLS1.3 if they
want.
API incompatibilities between TLS1.2 and TLS1.3 are:
- Renegotiation is not supported by TLS1.3 protocol, attempts to call
`.renegotiate()` will always fail.
- Compiling against a system OpenSSL lower than 1.1.1 is no longer
supported (OpenSSL-1.1.0 used to be supported with configure flags).
- Variations of `conn.write('data'); conn.destroy()` have undefined
behaviour according to the streams API. They may or may not send the
'data', and may or may not cause a ERR_STREAM_DESTROYED error to be
emitted. This has always been true, but conditions under which the write
suceeds is slightly but observably different when TLS1.3 is negotiated
vs when TLS1.2 or below is negotiated.
- If TLS1.3 is negotiated, and a server calls `conn.end()` in its
'secureConnection' listener without any data being written, the client
will not receive session tickets (no 'session' events will be emitted,
and `conn.getSession()` will never return a resumable session).
- The return value of `conn.getSession()` API may not return a resumable
session if called right after the handshake. The effect will be that
clients using the legacy `getSession()` API will resume sessions if
TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is
negotiated. See https://github.com/nodejs/node/pull/25831 for more
information.
PR-URL: https://github.com/nodejs/node/pull/26209
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
|
|
This is a major refactor of our Node’s parser. See `node_options.cc`
for how it is used, and `node_options-inl.h` for the bulk
of its implementation.
Unfortunately, the implementation has come to have some
complexity, in order to meet the following goals:
- Make it easy to *use* for defining or changing options.
- Keep it (mostly) backwards-compatible.
- No tests were harmed as part of this commit.
- Be as consistent as possible.
- In particular, options can now generally accept arguments
through both `--foo=bar` notation and `--foo bar` notation.
We were previously very inconsistent on this point.
- Separate into different levels of scope, namely
per-process (global), per-Isolate and per-Environment
(+ debug options).
- Allow programmatic accessibility in the future.
- This includes a possible expansion for `--help` output.
This commit also leaves a number of `TODO` comments, mostly for
improving consistency even more (possibly with having to modify
tests), improving embedder support, as well as removing pieces of
exposed configuration variables that should never have become
part of the public API but unfortunately are at this point.
PR-URL: https://github.com/nodejs/node/pull/22392
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
|
|
Adds support for the PSS padding scheme. Until now, the sign/verify
functions used the old EVP_Sign*/EVP_Verify* OpenSSL API, making it
impossible to change the padding scheme. Fixed by first computing the
message digest and then signing/verifying with a custom EVP_PKEY_CTX,
allowing us to specify options such as the padding scheme and the PSS
salt length.
Fixes: https://github.com/nodejs/node/issues/1127
PR-URL: https://github.com/nodejs/node/pull/11705
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
A prior io.js era commit inappropriately removed the
original copyright statements from the source. This
restores those in any files still remaining from that
edit.
Ref: https://github.com/nodejs/TSC/issues/174
Ref: https://github.com/nodejs/node/pull/10599
PR-URL: https://github.com/nodejs/node/pull/10155
Note: This PR was required, reviewed-by and approved
by the Node.js Foundation Legal Committee and the TSC.
There is no `Approved-By:` meta data.
|
|
For consistency with the newly added src/base64.h header, check that
NODE_WANT_INTERNALS is defined and set in internal headers.
PR-URL: https://github.com/nodejs/node/pull/6948
Refs: https://github.com/nodejs/node/pull/6910
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
|
|
The require('constants') module is currently undocumented and mashes
together unrelated constants. This refactors the require('constants')
in favor of distinct os.constants, fs.constants, and crypto.constants
that are specific to the modules for which they are relevant. The
next step is to document those within the specific modules.
PR-URL: https://github.com/nodejs/node/pull/6534
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Robert Lindstaedt <robert.lindstaedt@gmail.com>
|
|
v8::Handle is deprecated: https://codereview.chromium.org/1224623004
PR-URL: https://github.com/nodejs/io.js/pull/2202
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
This adds a new `--tls-cipher-list` command line switch
that can be used to override the built-in default cipher
list. The intent of this is to make it possible to enforce
an alternative default cipher list at the process level.
Overriding the default cipher list is still permitted at
the application level by changing the value of
`require('tls').DEFAULT_CIPHERS`.
As part of the change, the built in default list is moved
out of tls.js and into node_constants.h and node_constants.cc.
Two new constants are added to require('constants'):
* defaultCipherList (the active default cipher list)
* defaultCoreCipherList (the built-in default cipher list)
A test case and doc changes are included.
A new NODE_DEFINE_STRING_CONSTANT macro is also created in
node_internals.h
When node_constants is initialized, it will pick up either
the passed in command line switch or fallback to the default
built-in suite.
Within joyent/node, this change had originaly been wrapped
up with a number of other related commits involving the
removal of the RC4 cipher. This breaks out this isolated
change.
/cc @mhdawson, @misterdjules, @trevnorris, @indutny, @rvagg
Reviewed By: Ben Noordhuis <ben@strongloop.com>
PR-URL: https://github.com/nodejs/node/pull/2412
|
|
The copyright and license notice is already in the LICENSE file. There
is no justifiable reason to also require that it be included in every
file, since the individual files are not individually distributed except
as part of the entire package.
|
|
|
|
|
|
|
|
|