Disable EXPORT and LOW SSLv3+ ciphers by default for Argon, v0.12 and v0.10 #85
Comments
|
Ok so if you build by default openssl does not define OPENSSL_NO_WEAK_SSL_CIPHERS or is it that because we have a pre-configured build files we did not define OPENSSL_NO_WEAK_SSL_CIPHERS even though a default build of openssl does ? |
|
These weak ciphers are disabled by default in At the last openssl upgrading of openssl in Node, we missed to add the new define to |
3 tasks
|
@shigeki .. which LTS versions does this apply to? |
|
@jasnell For v4.x (Argon), v0.12 and v0.10. This change is included in both openssl-1.0.2 and 1.0.1. |
|
I'm OK with this but technically I think we'd have to do a minor bump in v4. |
|
@shigeki - So that its 100% clear my understanding is:
If that's the case then I'd agree we want to disable them as I think we already believed we had. |
|
@mhdawson Yes for both 1) and 2). I open this issue because it affects users who are using weak ciphers(LOW and EXPORT) with explicitly defining their cipher suites. Default cipher in Node does not include them. |
|
@jasnell I reckon we could do this as semver-patch as a "bugfix" for what should have been done in 4.3. It should get in asap. |
|
@shigeki the justification for enabling LOW and EXPORT is weaker than the justification for enabling SSLv2 right? There's no good reason to be using them at all at this stage is there? I'd be happy with a PR against 0.10-staging and 0.12-staging for inclusion in the next releases there. |
|
Here is the list of ciphers to be disabled by Each of them can be classified to
I think that they have no longer reasons to be supported for current use. I will submit a PR for v0.12 soon.
|
|
Yeah, I agree, unless @nodejs/crypto or @nodejs/lts have objections I'd like us to move forward with removing these from 0.10 and 0.12 and v4. As I said above, I'm happy for them to be considered a bugfix on top of the 1.0.1s ad 1.0.2g upgrades where they should have been disabled, negating the need for semver-minor in v4. Even with my normally conservative approach to LTS changes, I find it very difficult to imagine that any of the above ciphers listed by @shigeki have any reason for being enabled in a Node stack, particularly a v4 one where presumably the user is at least putting in some effort to be "modern". |
|
I'm fine with disabling them in a patch release. Realistically, no one in their right mind is using those ciphers. |
|
+1 from me. |
|
+1 from me |
|
+1. SGTM
|
shigeki
pushed a commit
to shigeki/node
that referenced
this issue
Mar 15, 2016
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85
4 tasks
shigeki
pushed a commit
to shigeki/node
that referenced
this issue
Mar 15, 2016
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: nodejs#5712 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
to shigeki/node
that referenced
this issue
Mar 15, 2016
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: nodejs#5712 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
to nodejs/node
that referenced
this issue
Mar 15, 2016
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
to nodejs/node
that referenced
this issue
Mar 15, 2016
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
to nodejs/node
that referenced
this issue
Mar 15, 2016
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
to nodejs/node
that referenced
this issue
Mar 15, 2016
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add AES128-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: #5712 Reviewed-By: Ben Noordhuis <[email protected]>
|
Thanks for all your agreements. The fixes were landed in v0.12-staging and v0.10-staging. |
shigeki
pushed a commit
to nodejs/node
that referenced
this issue
Mar 15, 2016
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
evanlucas
pushed a commit
to nodejs/node
that referenced
this issue
Mar 15, 2016
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
rvagg
pushed a commit
to nodejs/node
that referenced
this issue
Mar 16, 2016
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
MylesBorins
pushed a commit
to nodejs/node
that referenced
this issue
Mar 21, 2016
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
MylesBorins
pushed a commit
to nodejs/node
that referenced
this issue
Mar 21, 2016
OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
rvagg
added a commit
to nodejs/node
that referenced
this issue
Mar 31, 2016
Notable changes: * npm: Upgrade to v2.15.1. (Forrest L Norvell) * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712
rvagg
added a commit
to nodejs/node
that referenced
this issue
Mar 31, 2016
Notable changes: * npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712
rvagg
added a commit
to nodejs/node
that referenced
this issue
Mar 31, 2016
Notable changes: * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5967
rvagg
added a commit
to nodejs/node
that referenced
this issue
Mar 31, 2016
Notable changes: * npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5968
rvagg
added a commit
to nodejs/node
that referenced
this issue
Apr 1, 2016
Notable changes: * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5967
rvagg
added a commit
to nodejs/node
that referenced
this issue
Apr 1, 2016
Notable changes: * npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) #5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) #5712 PR-URL: #5968
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this issue
Nov 4, 2016
openssl-1.0.1s disables EXPORT and LOW ciphers by default. They are obsoleted ciphers and not safe for the current use. Node LTS also deprecates them. Fixes: nodejs/Release#85 PR-URL: nodejs/node#5712 Reviewed-By: Ben Noordhuis <[email protected]>
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this issue
Nov 4, 2016
DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: nodejs/node#5712 Reviewed-By: Ben Noordhuis <[email protected]>
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this issue
Nov 4, 2016
Notable changes: * npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. (Forrest L Norvell) nodejs/node#5967 * openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (nodejs/Release#85). (Shigeki Ohtsu) nodejs/node#5712 PR-URL: nodejs/node#5967
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OpenSSL-1.0.1s and 1.0.2g disables EXPORT and LOW ciphers in openssl/openssl@abd5d8f .
We missed to add
OPENSSL_NO_WEAK_SSL_CIPHERSat the last upgrading so I would like to add it to config. They are weak ciphers so that they are not included in the default cipher list.I would like to add this without adding new command line flag even it leads some incpompatibilies because using them is too unsafe like SSLv2.
Ref: nodejs/node#5630
The text was updated successfully, but these errors were encountered: