lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

tls: use SHA1 for sessionIdContext 

FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().

PR-URL: https://github.com/nodejs/node/pull/3866
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
process-exit-stdio-flushing
Stefan Budeanu 9 years ago
committed by Fedor Indutny
parent
424ae5d4ac
commit
df268f97bc
2 changed files with 7 additions and 19 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      doc/api/tls.markdown
  2. 20
      lib/_tls_wrap.js

6
doc/api/tls.markdown
View File

@ -841,9 +841,9 @@ automatically set as a listener for the [secureConnection][] event. The
NOTE: Automatically shared between `cluster` module workers.
- `sessionIdContext`: A string containing an opaque identifier for session
resumption. If `requestCert` is `true`, the default is MD5 hash value
generated from command-line. (In FIPS mode a truncated SHA1 hash is
used instead.) Otherwise, the default is not provided.
resumption. If `requestCert` is `true`, the default is a 128 bit
truncated SHA1 hash value generated from command-line. Otherwise,
the default is not provided.
- `secureProtocol`: The SSL method to use, e.g. `SSLv3_method` to force
SSL version 3. The possible values depend on your installation of

20
lib/_tls_wrap.js
View File

@ -14,21 +14,6 @@ const Timer = process.binding('timer_wrap').Timer;
const tls_wrap = process.binding('tls_wrap');
const TCP = process.binding('tcp_wrap').TCP;
const Pipe = process.binding('pipe_wrap').Pipe;
const defaultSessionIdContext = getDefaultSessionIdContext();
function getDefaultSessionIdContext() {
var defaultText = process.argv.join(' ');
/* SSL_MAX_SID_CTX_LENGTH is 128 bits */
if (process.config.variables.openssl_fips) {
return crypto.createHash('sha1')
.update(defaultText)
.digest('hex').slice(0, 32);
} else {
return crypto.createHash('md5')
.update(defaultText)
.digest('hex');
}
}
function onhandshakestart() {
debug('onhandshakestart');
@ -908,7 +893,10 @@ Server.prototype.setOptions = function(options) {
if (options.sessionIdContext) {
this.sessionIdContext = options.sessionIdContext;
} else {
this.sessionIdContext = defaultSessionIdContext;
this.sessionIdContext = crypto.createHash('sha1')
.update(process.argv.join(' '))
.digest('hex')
.slice(0, 32);
}
};

Write Preview
Loading…
Cancel
Save