[Converge] --cipher-list and --enable-legacy-cipher-list Command Line Switch #39
Comments
|
The tl/dr version: This work adds new command line switches and envars:
|
|
/cc @nodejs/crypto |
|
I'm wondering if there is a case for the legacy ciphers list, are we aware of any use cases that would break if they change to the new list. I know the new list is very restrictive but it's also modern and similar to what you'll find configured in many web servers today. We might be denying use of Java6 or Android Browser 4 but .. if you're supporting old clients like that then I'm sure you're expecting to have a hard time all over the place. I'm +1 on |
|
What is the reason behind introducing command line arg and env variable for overriding this? I wonder if it might be accomplished in the user land without doing this? Are there any people who requested it? |
|
Will provide more detail on the history of this when I've got more time
|
|
Ok, so I'll split this up a bit: The main justification for introducing The justification for the legacy cipher list is to make it possible to revert to a specific known previous default without requiring that developers keep track of the lists themselves. The intent is to keep this list of supported legacy lists as short as possible, but yes, it's possible to build up cruft. When we (IBM) first made these changes to our own Node.js build, we initially deployed to our bluemix environment using the updated cipher list that switches off RC4. Once it was deployed, we discovered that quite a few of the applications deployed on top ended up breaking because of their reliance on RC4. Instead of having to revert the deployment, the sysops were simply able to use the legacy cipher environment variable to temporarily revert the default cipher list without (a) having to know what that default cipher list was (they simply enabled the default for the previous version of node they deployed), (b) having to revert the Node update on their servers or (c) having to force application developers to work. After setting that environment variable, they went back and worked with the application developers whose applications broke to get them off of RC4 then were simply able to remove that environment variable to switch back to the new default cipher list. It ended up being a very simple and smooth approach. It would be possible to use a userland module to maintain the old cipher lists but then each application deployed to a PaaS environment like bluemix would need to be modified to use the module when a temporary system-wide revert like the one described above becomes necessary. @mhdawson may have some additional thoughts on this as well... |
|
Thank you for the explanation! +1 |
|
Pretty sure this is handled by nodejs/node#2412 |
We've been in the progress of porting the updated io.js default cipher lists over to node.js. In addition to this change, we're working on adding new
--cipher-listand--enable-default-cipher-listcommand line switches that allow the compiled in default cipher list to be overridden. This is a work in progress that hasn't fully landed yet.4d9c81b7e2522c5d5d9d35058cbb0bce1228d360 test: fixing a few nits in the test370573665a4daba22655e00c8d0ae8577899d8e5 tls: pass in isolate with define string constant + style nits3f58ce6942fd0cf90877a4df2fb32539f1614c9d tls: make --enable-legacy-cipher-list less verbose1bf15467e2b7e074f16744806aff92544953fbd9 tls: command-line switch and envar cipher-list overrideThe text was updated successfully, but these errors were encountered: