mirror of https://github.com/lukechilds/node.git
Browse Source
SSLv3 is susceptible to downgrade attacks. Provide secure defaults, disable v3 protocol support entirely. PR-URL: https://github.com/iojs/io.js/pull/315 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com>v1.8.0-commit
Ben Noordhuis
10 years ago
5 changed files with 99 additions and 14 deletions
@ -0,0 +1,52 @@ |
|||
if (!process.versions.openssl) { |
|||
console.error('Skipping because node compiled without OpenSSL.'); |
|||
process.exit(0); |
|||
} |
|||
|
|||
var common = require('../common'); |
|||
var assert = require('assert'); |
|||
var tls = require('tls'); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'blargh' }); |
|||
}, /Unknown method/); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'SSLv2_method' }); |
|||
}, /SSLv2 methods disabled/); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' }); |
|||
}, /SSLv2 methods disabled/); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' }); |
|||
}, /SSLv2 methods disabled/); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'SSLv3_method' }); |
|||
}, /SSLv3 methods disabled/); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' }); |
|||
}, /SSLv3 methods disabled/); |
|||
|
|||
assert.throws(function() { |
|||
tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' }); |
|||
}, /SSLv3 methods disabled/); |
|||
|
|||
// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are
|
|||
// still accepted. They are OpenSSL's way of saying that all known protocols
|
|||
// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.)
|
|||
tls.createSecureContext({ secureProtocol: 'SSLv23_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' }); |
|||
tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' }); |
@ -0,0 +1,34 @@ |
|||
if (!process.versions.openssl) { |
|||
console.error('Skipping because node compiled without OpenSSL.'); |
|||
process.exit(0); |
|||
} |
|||
|
|||
var common = require('../common'); |
|||
var assert = require('assert'); |
|||
var fs = require('fs'); |
|||
var spawn = require('child_process').spawn; |
|||
var tls = require('tls'); |
|||
|
|||
var cert = fs.readFileSync(common.fixturesDir + '/test_cert.pem'); |
|||
var key = fs.readFileSync(common.fixturesDir + '/test_key.pem'); |
|||
var server = tls.createServer({ cert: cert, key: key }, assert.fail); |
|||
|
|||
server.listen(common.PORT, '127.0.0.1', function() { |
|||
var address = this.address().address + ':' + this.address().port; |
|||
var args = ['s_client', |
|||
'-no_ssl2', |
|||
'-ssl3', |
|||
'-no_tls1', |
|||
'-no_tls1_1', |
|||
'-no_tls1_2', |
|||
'-connect', address]; |
|||
var client = spawn(common.opensslCli, args, { stdio: 'inherit' }); |
|||
client.once('exit', common.mustCall(function(exitCode) { |
|||
assert.equal(exitCode, 1); |
|||
server.close(); |
|||
})); |
|||
}); |
|||
|
|||
server.once('clientError', common.mustCall(function(err, conn) { |
|||
assert(/SSL3_GET_CLIENT_HELLO:wrong version number/.test(err.message)); |
|||
})); |
Loading…
Reference in new issue