ALPN is added to tls according to RFC7301, which supersedes NPN.
When the server receives both NPN and ALPN extensions from the client,
ALPN takes precedence over NPN and the server does not send NPN
extension to the client. alpnProtocol in TLSSocket always returns
false when no selected protocol exists by ALPN.
In https server, http/1.1 token is always set when no
options.ALPNProtocols exists.
PR-URL: https://github.com/nodejs/node/pull/2564
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Upon creating a TLSSocket object, set the default isServer option to false
Updated tls docs and added test-tls-socket-default-options
PR-URL: https://github.com/nodejs/node/pull/2614
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Helps in implementation of #6204, where some options passed to
`createSecurePair()` are ignored before this patch.
These options are very helpful if someone wants to pass
`options.servername` or `options.SNICallback` to securepair.
PR-URL: https://github.com/nodejs/node/pull/2441
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Add a new option to specifiy a minimum size of an ephemeral DH
parameter to accept a tls connection. Default is 1024 bit.
PR-URL: https://github.com/nodejs/node/pull/1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Returns an object representing a type, name and size of an ephemeral
key exchange in a client connection. Currently only DHE and ECHE are
supported.
This api only works on on a client connection. When it is called on a
server connection, null is returned. When its key exchange is not
ephemeral, an empty object is returned.
PR-URL: https://github.com/nodejs/node/pull/1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Markdown requires 4-space indent to correctly format code blocks. This
fixes the example so it's correctly presented as code.
PR-URL: https://github.com/nodejs/node/pull/3372
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
The deprecation messages in the documentations should be in the format
Stability: 0 - Deprecated: Use [alternate] instead.
so that they will be consistent.
PR-URL: https://github.com/nodejs/node/pull/2450
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit replaces instances of io.js with Node.js, based on the
recent convergence. There are some remaining instances of io.js,
related to build and the installer.
Fixes: https://github.com/nodejs/node/issues/2361
PR-URL: https://github.com/nodejs/node/pull/2367
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
This adds a new `--tls-cipher-list` command line switch
that can be used to override the built-in default cipher
list. The intent of this is to make it possible to enforce
an alternative default cipher list at the process level.
Overriding the default cipher list is still permitted at
the application level by changing the value of
`require('tls').DEFAULT_CIPHERS`.
As part of the change, the built in default list is moved
out of tls.js and into node_constants.h and node_constants.cc.
Two new constants are added to require('constants'):
* defaultCipherList (the active default cipher list)
* defaultCoreCipherList (the built-in default cipher list)
A test case and doc changes are included.
A new NODE_DEFINE_STRING_CONSTANT macro is also created in
node_internals.h
When node_constants is initialized, it will pick up either
the passed in command line switch or fallback to the default
built-in suite.
Within joyent/node, this change had originaly been wrapped
up with a number of other related commits involving the
removal of the RC4 cipher. This breaks out this isolated
change.
/cc @mhdawson, @misterdjules, @trevnorris, @indutny, @rvagg
Reviewed By: Ben Noordhuis <ben@strongloop.com>
PR-URL: https://github.com/nodejs/node/pull/2412
This adds references to the newly available crypto.getCurves method
where appropriate.
PR-URL: https://github.com/nodejs/io.js/pull/1918
Reviewed-By: Brian White <mscdex@mscdex.net>
Added instructions on how to get the elliptic curves supported by the
OpenSSL installation in the crypto.createECDH() constructor. Also made
a few minor grammar fixes within the same paragraph.
PR-URL: https://github.com/nodejs/io.js/pull/1913
Reviewed-By: Roman Reiss <me@silverwind.io>
DHE key lengths less than 1024bits is already weaken as pointed out in
https://weakdh.org/ . 1024bits will not be safe in near future. We
will extend this up to 2048bits somedays later.
PR-URL: https://github.com/nodejs/io.js/pull/1739
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of
Chrome to avoid an 'obsolete cryptography' warning.
Prefer 128 bit AES over 192 and 256 bit AES considering attacks that
specifically affect the larger key sizes but do not affect AES 128.
PR-URL: https://github.com/iojs/io.js/pull/1660
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: Roman Reiss <me@silverwind.io>
This simplifies the stability index to 4 levels:
0 - deprecated
1 - experimental / feature-flagged
2 - stable
3 - locked
Domains has been downgraded to deprecated, assert has been
downgraded to stable. Timers and Module remain locked. All
other APIs are now stable.
PR-URL: https://github.com/iojs/io.js/pull/943
Fixes: https://github.com/iojs/io.js/issues/930
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Vladimir Kurchatkin <vladimir.kurchatkin@gmail.com>
This option has been there for a long time, but has never been
documented. It's functionally identical to the server counterpart.
PR-URL: https://github.com/iojs/io.js/pull/845
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This updates the default cipher suite to an more secure list, which
prefers strong ciphers with Forward Secrecy. Additionally, it enables
`honorCipherOrder` by default.
Noteable effect of this change is that the insecure RC4 ciphers are
disabled and that Chrome negotiates a more secure ECDHE cipher.
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: https://github.com/iojs/io.js/pull/826
SSLv2 has been deprecated and known broken for nearly twenty years now.
I made SSLv2 support opt-in well over a year ago in commit 39aa894 and
now this commit removes it entirely.
PR-URL: https://github.com/iojs/io.js/pull/290
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This commit fixes a few grammar issues located
within the doc files for timers and tls.
They primarily include incorrect use of a / an
and a single insertion of a comma.
same as [this PR](https://github.com/joyent/node/pull/8581)
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: https://github.com/iojs/io.js/pull/76
In `tls.markdown`, there was a misuse of 'a' which has been replaced
with 'an'.
In `timers.markdown`...
line 31: misuse of 'a', replaced with 'an'
line 59: unclear wording, haywire 'a', added new comma
pending tls.TLSSocket growing the ability to work
with streams, createSecurePair will remain.
PR-URL: https://github.com/joyent/node/pull/8695
Reviewed-by: Fedor Indutny <fedor@indutny.com>
The parameter parser specifically looked for the old bracket syntax.
This generated a lot of warnings when building the docs. Those warnings
have been fixed by changing the parsing logic.
Signed-off-by: Trevor Norris <trev.norris@gmail.com>
Documentation incorrectly used bracket notation for optional parameters.
This caused inconsistencies in usage because of examples like the
following:
fs.write(fd, data[, position[, encoding]], callback)
This simply fixes all uses of bracket notation in documentation.
Signed-off-by: Trevor Norris <trev.norris@gmail.com>
Reviewed-by: Fedor Indutny <fedor@indutny.com>
In case of an invalid DH parameter file, it is sliently discarded. To
use auto DH parameter in a server and DHE key length check in a
client, we need to wait for the next release of OpenSSL-1.0.2.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
In tls.connect a unix socket connection to a path may be made in
recent versions of node by specifying the value for the path
property.
Signed-off-by: Fedor Indutny <fedor@indutny.com>
Move `createCredentials` to `tls` module and rename it to
`createSecureContext`. Make it use default values from `tls` module:
`DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`.
fix#7249