Add a test that goes through the whole matrix of:
- command line options (--enable-ssl*)
- secureOptions
- secureProtocols
and makes sure that compatible test setups actually work as expected.
The test works by spawning two processes for each test case: one client
and one server. The test passes if a SSL/TLS connection from the client
to the server is successful and the test case was supposed to pass, or
if the connection couldn't be established and the test case was supposed
to fail.
The test is currently located in the directory 'test/external' because
it has external dependencies.
* openssl: Update to 1.0.1j (Addressing multiple CVEs)
* uv: Update to v0.10.29
* child_process: properly support optional args (cjihrig)
* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny,
Timothy J Fontaine, Alexis Campailla)
This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`--enable-ssl2` or `--enable-ssl3` respectively.
This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you're doing since you're specifically asking to use
these methods.
adds a note to the crypto docs passing along
the advice that openssl gives about what
key derivation function they recommend.
PR-URL: https://github.com/joyent/node/pull/8580
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Always set ssl2/ssl3 disabled based on whether they are enabled in Node.
In some corner-case scenario, node with OPENSSL_NO_SSL3 defined could
be linked to openssl that has SSL3 enabled.
In the case of a pipe'd input, i.e. from the CI the fd will be a PIPE
and when listen() is called it will return ENOTSOCK instead of EINVAL.
Backport: cd2d3aedaa
The order of the callbacks is non-deterministic, so don't expect the
error messages to come back in the same order every time, instead just
verify they are expected messages.
This change disables SSLv2/SSLv3 use by default, and introduces a
command line flag to opt into using SSLv2/SSLv3.
SSLv2 and SSLv3 are considered unsafe, and should only be used in
situations where compatibility with other components is required and
they cannot be upgrade to support newer forms of TLS.
Because of constant-timeness change made in openssl-1.0.1j the error is
no longer returned from EVP_DecryptFinal_ex. Now it just return 0, and
thus the error message does not contain proper error code. Adapt to this
change, there is not much that we could do about it.
Expands the paragraph in the transform stream
implementation docs about the callback that is passed
to the _transform method to include details about how
two arguments may be passed, error and data. A code
example is also included.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Currently, a TypeError is incorrectly thrown if the second argument is
an object. This commit allows the args argument to be properly omitted.
Fixes: https://github.com/joyent/node/issues/6068
Reviewed-by: Trevor Norris <trev.norris@gmail.com>
* npm: Update to 1.4.28
* v8: fix a crash introduced by previous release (Fedor Indutny)
* configure: add --openssl-no-asm flag (Fedor Indutny)
* crypto: use domains for any callback-taking method (Chris Dickinson)
* http: do not send `0rnrn` in TE HEAD responses (Fedor Indutny)
* querystring: fix unescape override (Tristan Berger)
* url: Add support for RFC 3490 separators (Mathias Bynens)
When replying to a HEAD request, do not attempt to send the trailers and
EOF sequence (`0\r\n\r\n`). The HEAD request MUST not have body.
Quote from RFC:
The presence of a message body in a response depends on both the
request method to which it is responding and the response status code
(Section 3.1.2). Responses to the HEAD request method (Section 4.3.2
of [RFC7231]) never include a message body because the associated
response header fields (e.g., Transfer-Encoding, Content-Length,
etc.), if present, indicate only what their values would have been if
the request method had been GET (Section 4.3.1 of [RFC7231]).
fix#8361
Reviewed-By: Timothy J Fontaine <tjfontaine@gmail.com>
This adds domains coverage for pdbkdf2, pseudoRandomBytes, and randomBytes.
All others should be covered by event emitters.
Fixes#5801.
Reviewed-By: Timothy J Fontaine <tjfontaine@gmail.com>
The behavior of the `node_modules` lookup algorithm was
changed in #1177, but the documentation was not updated completely
to describe the new behavior.
The pseudocode of the lookup algorithm did not metion that
`index.json` is tried to be loaded if you require a folder.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR #8034 came with a test to make sure that timers expiry is based on
monotonic time and not on wall-clock time. However, a bug in the
implementation broke timers with non-integer delays. A fix for this
issue was provided with PR #8073, but it didn't come with a test.
Because #8073 fixed a subtle issue that could reappear in the future,
and because the impact of such an issue would be significant, I suggest
adding this test.
The test would timeout after 1 minute if the issue was reproduced.
Otherwise it will run very quickly.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
There is no need to split the host by hand in `url.js` – Punycode.js
takes care of it anyway. This not only simplifies the code, but also
adds support for RFC 3490 separators (i.e. not just U+002E, but U+3002,
U+FF0E, and U+FF61 as well).
Closes#6055.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Documentation states that `querystring.unescape` may be overridden to
replace unescaper during parsing. However, the function was only
being used as a fallback for when the native decoder throws (on a
malformed URL). This patch moves the call to the native function and
the try/catch around it into querystring.unescape then has the parser
always invoke it, so that an override will always be used.
Fixes#4055
Reviewed-By: Fedor Indutny <fedor@indutny.com>
fd80a31e06 has introduced a segfault
during redundant boundary check elimination (#8208).
The problem consists of two parts:
1. Abscense of instruction iterator in
`EliminateRedundantBoundsChecks`. It was present in recent v8, but
wasn't considered important at the time of backport. However, since
the function is changing instructions order in block, it is
important to not rely at `i->next()` at the end of the loop.
2. Too strict ASSERT in `MoveIndexIfNecessary`. It is essentially a
backport of a45c96ab from v8's upstream. See
https://github.com/v8/v8/commit/a45c96ab for details.
fix#8208