1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: deprecate {ecdhCurve: false}

Browse Source 
This doesn't work in OpenSSL 1.1.0.  Per discussion on the PR, it is
preferable to just deprecate this setting. Deprecate it and skip the
test in OpenSSL 1.1.0.

PR-URL: https://github.com/nodejs/node/pull/16130
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
This commit is contained in:
David Benjamin 2017-10-21 13:29:18 -04:00 committed by Rod Vagg
parent aa81f995b4
commit 560f797776
3 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/api/deprecations.md
View File

@ -737,6 +737,16 @@ Type: Runtime
internal mechanics of the `REPLServer` itself, and is therefore not internal mechanics of the `REPLServer` itself, and is therefore not
necessary in user space. necessary in user space.
<a id="DEP0083"></a>
### DEP0083: Disabling ECDH by setting ecdhCurve to false
Type: Runtime
The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could
be set to `false` to disable ECDH entirely on the server only. This mode is
deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with
the client. Use the `ciphers` parameter instead.
[`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size [`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
[`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array [`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array

12
lib/_tls_common.js
View File

@ -65,6 +65,16 @@ function validateKeyCert(value, type) {
exports.SecureContext = SecureContext; exports.SecureContext = SecureContext;
function ecdhCurveWarning() {
if (ecdhCurveWarning.emitted) return;
process.emitWarning('{ ecdhCurve: false } is deprecated.',
'DeprecationWarning',
'DEP0083');
ecdhCurveWarning.emitted = true;
}
ecdhCurveWarning.emitted = false;
exports.createSecureContext = function createSecureContext(options, context) { exports.createSecureContext = function createSecureContext(options, context) {
if (!options) options = {}; if (!options) options = {};
@ -140,6 +150,8 @@ exports.createSecureContext = function createSecureContext(options, context) {
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE); c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
else if (options.ecdhCurve) else if (options.ecdhCurve)
c.context.setECDHCurve(options.ecdhCurve); c.context.setECDHCurve(options.ecdhCurve);
else
ecdhCurveWarning();
if (options.dhparam) { if (options.dhparam) {
const warning = c.context.setDHParam(options.dhparam); const warning = c.context.setDHParam(options.dhparam);

8
test/parallel/test-tls-ecdh-disable.js
View File

@ -31,6 +31,11 @@ if (!common.hasCrypto)
if (!common.opensslCli) if (!common.opensslCli)
common.skip('missing openssl-cli'); common.skip('missing openssl-cli');
const OPENSSL_VERSION_NUMBER =
require('crypto').constants.OPENSSL_VERSION_NUMBER;
if (OPENSSL_VERSION_NUMBER >= 0x10100000)
common.skip('false ecdhCurve not supported in OpenSSL 1.1.0');
const assert = require('assert'); const assert = require('assert');
const tls = require('tls'); const tls = require('tls');
const exec = require('child_process').exec; const exec = require('child_process').exec;
@ -42,6 +47,9 @@ const options = {
ecdhCurve: false ecdhCurve: false
}; };
common.expectWarning('DeprecationWarning',
'{ ecdhCurve: false } is deprecated.');
const server = tls.createServer(options, common.mustNotCall()); const server = tls.createServer(options, common.mustNotCall());
server.listen(0, '127.0.0.1', common.mustCall(function() { server.listen(0, '127.0.0.1', common.mustCall(function() {