This commit changes the default value of the rejectUnauthorized option from
false to true.
What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.
There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.
Fixes#3949.
A HTTP/1.0 client does not support 'Transfer-Encoding: chunked' unless it
explicitly requests it by sending a 'TE: chunked' header.
Before this commit, node.js always disabled chunked encoding for HTTP/1.0
clients. Now it will scan for the TE header and turn on chunked encoding if
requested and applicable.
Fixes#940.
With this patch the IPC socket is no longer available in the
ChildProcess.stdio array. This shouldn't be very problematic, since
this socket was effectively non-functional; it would never emit any
events.
Throw an exception in the tls.Server constructor when the options object
doesn't contain either a PFX or a key/certificate combo.
Said change exposed a bug in simple/test-tls-junk-closes-server. Addressed.
Fixes#3941.
It takes an optional "expected exception" argument that is not used meaningfully
but is nevertheless documented. Undocument it, it confuses casual readers of the
documentation.
Fixes#3935.
Update the default cipher list from RC4-SHA:AES128-SHA:AES256-SHA
to ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
in order to mitigate BEAST attacks.
The documentation suggested AES256-SHA but unfortunately that's a CBC cipher
and therefore susceptible to attacks.
Fixes#3900.
Ensure that the delay >= 0 when detaching the timer from the queue. Fixes the
following assertion:
uv_timer_start: Assertion `timeout >= 0' failed.
No test included, it's timing sensitive.
Commit 4e5fe2d changed the way how process.nextTick() works:
process.nextTick(function foo() {
process.nextTick(function bar() {
// ...
});
});
Before said commit, foo() and bar() used to run on separate event loop ticks
but that is no longer the case.
However, that's exactly the behavior that the TLS renegotiation attack guard
relies on. It gets called by OpenSSL and needs to defer the 'error' event to a
later tick because the default action is to destroy the TLS context - the same
context that OpenSSL currently operates on.
When things change underneath your feet, bad things happen and OpenSSL is no
exception. Ergo, use setImmediate() instead of process.nextTick() to ensure
that the 'error' event is actually emitted at a later tick.
Fixes#3840.
Fixes a minor oversight introduced in 168a555, resulting in the following error:
fs.js:467
return fs.ftruncateSync(path, len, callback);
^
ReferenceError: callback is not defined
at Object.fs.truncateSync (fs.js:467:40)
This commit reverts the following commits (in reverse chronological order):
74d076c errnoException must be done immediately
ddb02b9 net: support Server.listen(Pipe)
085a098 cluster: do not use internal server API
d138875 net: lazy listen on handler
Commit d138875 introduced a backwards incompatible change that broke the
simple/test-net-socket-timeout and simple/test-net-lazy-listen tests - it
defers listening on the target port until the `net.Server` instance has at
least one 'connection' event listener.
The other patches had to be reverted in order to revert d138875.
Fixes#3832.
The destroy() method of fs.ReadStream and fs.WriteStream takes a callback.
It's a leftover from the node 0.1 days, undocumented and not part of the
streams API. Remove it.