From f512f5ea138fe86e47c0179d5733044daf6f4fe6 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Sun, 6 May 2018 13:52:34 +0900 Subject: tls: add min/max protocol version options The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. PR-URL: https://github.com/nodejs/node/pull/24405 Reviewed-By: Refael Ackermann Reviewed-By: Rod Vagg --- lib/_tls_common.js | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) (limited to 'lib/_tls_common.js') diff --git a/lib/_tls_common.js b/lib/_tls_common.js index 4028b02be2..7ddb0d4757 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -26,22 +26,46 @@ const { isArrayBufferView } = require('internal/util/types'); const tls = require('tls'); const { ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED, - ERR_INVALID_ARG_TYPE + ERR_INVALID_ARG_TYPE, + ERR_TLS_INVALID_PROTOCOL_VERSION, + ERR_TLS_PROTOCOL_VERSION_CONFLICT, } = require('internal/errors').codes; - -const { SSL_OP_CIPHER_SERVER_PREFERENCE } = internalBinding('constants').crypto; +const { + SSL_OP_CIPHER_SERVER_PREFERENCE, + TLS1_VERSION, + TLS1_1_VERSION, + TLS1_2_VERSION, +} = internalBinding('constants').crypto; // Lazily loaded from internal/crypto/util. let toBuf = null; +function toV(which, v, def) { + if (v == null) v = def; + if (v === 'TLSv1') return TLS1_VERSION; + if (v === 'TLSv1.1') return TLS1_1_VERSION; + if (v === 'TLSv1.2') return TLS1_2_VERSION; + throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which); +} + const { SecureContext: NativeSecureContext } = internalBinding('crypto'); -function SecureContext(secureProtocol, secureOptions) { +function SecureContext(secureProtocol, secureOptions, minVersion, maxVersion) { if (!(this instanceof SecureContext)) { - return new SecureContext(secureProtocol, secureOptions); + return new SecureContext(secureProtocol, secureOptions, minVersion, + maxVersion); + } + + if (secureProtocol) { + if (minVersion != null) + throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(minVersion, secureProtocol); + if (maxVersion != null) + throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(maxVersion, secureProtocol); } this.context = new NativeSecureContext(); - this.context.init(secureProtocol); + this.context.init(secureProtocol, + toV('minimum', minVersion, tls.DEFAULT_MIN_VERSION), + toV('maximum', maxVersion, tls.DEFAULT_MAX_VERSION)); if (secureOptions) this.context.setOptions(secureOptions); } @@ -66,7 +90,8 @@ exports.createSecureContext = function createSecureContext(options) { if (options.honorCipherOrder) secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; - const c = new SecureContext(options.secureProtocol, secureOptions); + const c = new SecureContext(options.secureProtocol, secureOptions, + options.minVersion, options.maxVersion); var i; var val; -- cgit v1.2.3