crypto: deprecate {ecdhCurve: false}

This doesn't work in OpenSSL 1.1.0. Per discussion on the PR, it is preferable to just deprecate this setting. Deprecate it and skip the test in OpenSSL 1.1.0. PR-URL: https://github.com/nodejs/node/pull/16130 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rod Vagg <rod@vagg.org>
2017-10-21 13:29:18 -04:00 · 2017-10-21 13:29:18 -04:00 · 560f797776
commit 560f797776
parent aa81f995b4
3 changed files with 30 additions and 0 deletions
--- a/doc/api/deprecations.md
+++ b/doc/api/deprecations.md
@ -737,6 +737,16 @@ Type: Runtime
 internal mechanics of the `REPLServer` itself, and is therefore not
 necessary in user space.

+<a id="DEP0083"></a>
+### DEP0083: Disabling ECDH by setting ecdhCurve to false
+
+Type: Runtime
+
+The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could
+be set to `false` to disable ECDH entirely on the server only. This mode is
+deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with
+the client. Use the `ciphers` parameter instead.
+

 [`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
 [`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@ -65,6 +65,16 @@ function validateKeyCert(value, type) {
 exports.SecureContext = SecureContext;


+function ecdhCurveWarning() {
+  if (ecdhCurveWarning.emitted) return;
+  process.emitWarning('{ ecdhCurve: false } is deprecated.',
+                      'DeprecationWarning',
+                      'DEP0083');
+  ecdhCurveWarning.emitted = true;
+}
+ecdhCurveWarning.emitted = false;
+
+
 exports.createSecureContext = function createSecureContext(options, context) {
  if (!options) options = {};

@ -140,6 +150,8 @@ exports.createSecureContext = function createSecureContext(options, context) {
    c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
  else if (options.ecdhCurve)
    c.context.setECDHCurve(options.ecdhCurve);
+  else
+    ecdhCurveWarning();

  if (options.dhparam) {
    const warning = c.context.setDHParam(options.dhparam);
--- a/test/parallel/test-tls-ecdh-disable.js
+++ b/test/parallel/test-tls-ecdh-disable.js
@ -31,6 +31,11 @@ if (!common.hasCrypto)
 if (!common.opensslCli)
  common.skip('missing openssl-cli');

+const OPENSSL_VERSION_NUMBER =
+  require('crypto').constants.OPENSSL_VERSION_NUMBER;
+if (OPENSSL_VERSION_NUMBER >= 0x10100000)
+  common.skip('false ecdhCurve not supported in OpenSSL 1.1.0');
+
 const assert = require('assert');
 const tls = require('tls');
 const exec = require('child_process').exec;
@ -42,6 +47,9 @@ const options = {
  ecdhCurve: false
 };

+common.expectWarning('DeprecationWarning',
+                     '{ ecdhCurve: false } is deprecated.');
+
 const server = tls.createServer(options, common.mustNotCall());

 server.listen(0, '127.0.0.1', common.mustCall(function() {