mirror of https://github.com/lukechilds/node.git
Browse Source
SSLv3 is susceptible to downgrade attacks. Provide secure defaults, disable v3 protocol support entirely. PR-URL: https://github.com/iojs/io.js/pull/315 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com>v1.8.0-commit
Ben Noordhuis
10 years ago
5 changed files with 99 additions and 14 deletions
@ -0,0 +1,52 @@ |
|||||
|
if (!process.versions.openssl) { |
||||
|
console.error('Skipping because node compiled without OpenSSL.'); |
||||
|
process.exit(0); |
||||
|
} |
||||
|
|
||||
|
var common = require('../common'); |
||||
|
var assert = require('assert'); |
||||
|
var tls = require('tls'); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'blargh' }); |
||||
|
}, /Unknown method/); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv2_method' }); |
||||
|
}, /SSLv2 methods disabled/); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' }); |
||||
|
}, /SSLv2 methods disabled/); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' }); |
||||
|
}, /SSLv2 methods disabled/); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv3_method' }); |
||||
|
}, /SSLv3 methods disabled/); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' }); |
||||
|
}, /SSLv3 methods disabled/); |
||||
|
|
||||
|
assert.throws(function() { |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' }); |
||||
|
}, /SSLv3 methods disabled/); |
||||
|
|
||||
|
// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are
|
||||
|
// still accepted. They are OpenSSL's way of saying that all known protocols
|
||||
|
// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.)
|
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv23_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' }); |
||||
|
tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' }); |
@ -0,0 +1,34 @@ |
|||||
|
if (!process.versions.openssl) { |
||||
|
console.error('Skipping because node compiled without OpenSSL.'); |
||||
|
process.exit(0); |
||||
|
} |
||||
|
|
||||
|
var common = require('../common'); |
||||
|
var assert = require('assert'); |
||||
|
var fs = require('fs'); |
||||
|
var spawn = require('child_process').spawn; |
||||
|
var tls = require('tls'); |
||||
|
|
||||
|
var cert = fs.readFileSync(common.fixturesDir + '/test_cert.pem'); |
||||
|
var key = fs.readFileSync(common.fixturesDir + '/test_key.pem'); |
||||
|
var server = tls.createServer({ cert: cert, key: key }, assert.fail); |
||||
|
|
||||
|
server.listen(common.PORT, '127.0.0.1', function() { |
||||
|
var address = this.address().address + ':' + this.address().port; |
||||
|
var args = ['s_client', |
||||
|
'-no_ssl2', |
||||
|
'-ssl3', |
||||
|
'-no_tls1', |
||||
|
'-no_tls1_1', |
||||
|
'-no_tls1_2', |
||||
|
'-connect', address]; |
||||
|
var client = spawn(common.opensslCli, args, { stdio: 'inherit' }); |
||||
|
client.once('exit', common.mustCall(function(exitCode) { |
||||
|
assert.equal(exitCode, 1); |
||||
|
server.close(); |
||||
|
})); |
||||
|
}); |
||||
|
|
||||
|
server.once('clientError', common.mustCall(function(err, conn) { |
||||
|
assert(/SSL3_GET_CLIENT_HELLO:wrong version number/.test(err.message)); |
||||
|
})); |
Loading…
Reference in new issue