From 5e3b0095de96469a65f6e789e0d2b54d76711463 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Wed, 16 Nov 2011 23:54:43 +0100 Subject: [PATCH] tls: make cipher list configurable options.ciphers existed but didn't work, the cipher list was effectively hard-coded to RC4-SHA:AES128-SHA:AES256-SHA. Fixes #2066. --- lib/tls.js | 5 +-- test/simple/test-tls-set-ciphers.js | 61 +++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 test/simple/test-tls-set-ciphers.js diff --git a/lib/tls.js b/lib/tls.js index 21bb2af0721a..8f83ecf98651 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -849,15 +849,13 @@ function Server(/* [options], listener */) { passphrase: self.passphrase, cert: self.cert, ca: self.ca, - ciphers: self.ciphers, + ciphers: self.ciphers || 'RC4-SHA:AES128-SHA:AES256-SHA', secureProtocol: self.secureProtocol, secureOptions: self.secureOptions, crl: self.crl, sessionIdContext: self.sessionIdContext }); - sharedCreds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); - // constructor call net.Server.call(this, function(socket) { var creds = crypto.createCredentials(null, sharedCreds.context); @@ -1017,7 +1015,6 @@ exports.connect = function(port /* host, options, cb */) { var socket = new net.Stream(); var sslcontext = crypto.createCredentials(options); - //sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); convertNPNProtocols(options.NPNProtocols, this); var pair = new SecurePair(sslcontext, false, true, false, diff --git a/test/simple/test-tls-set-ciphers.js b/test/simple/test-tls-set-ciphers.js new file mode 100644 index 000000000000..ba5c868d12cf --- /dev/null +++ b/test/simple/test-tls-set-ciphers.js @@ -0,0 +1,61 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +var common = require('../common'); +var assert = require('assert'); +var exec = require('child_process').exec; +var tls = require('tls'); +var fs = require('fs'); + +if (process.platform === 'win32') { + console.log("Skipping test, you probably don't have openssl installed."); + process.exit(); +} + +var options = { + key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), + cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), + ciphers: 'NULL-MD5' // it's ultra-fast! +}; + +var reply = 'I AM THE WALRUS'; // something recognizable +var nconns = 0; +var response = ''; + +process.on('exit', function() { + assert.equal(nconns, 1); + assert.notEqual(response.indexOf(reply), -1); +}); + +var server = tls.createServer(options, function(conn) { + conn.end(reply); + nconns++; +}); + +server.listen(common.PORT, '127.0.0.1', function() { + var cmd = 'openssl s_client -cipher NULL-MD5 -connect 127.0.0.1:' + common.PORT; + + exec(cmd, function(err, stdout, stderr) { + if (err) throw err; + response = stdout; + server.close(); + }); +});