tls: Update cipher-list defaults, add command-line switches #14383
Conversation
Port of io.js commit: nodejs/node@77f3586 Original commit message: This updates the default cipher suite to an more secure list, which prefers strong ciphers with Forward Secrecy. Additionally, it enables `honorCipherOrder` by default. Noteable effect of this change is that the insecure RC4 ciphers are disabled and that Chrome negotiates a more secure ECDHE cipher. Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> PR-URL: nodejs/node#826
jasnell
force-pushed
the
tls-update-cipher-suite-with-switches
branch
from
b72acf0 to
025dd75
Compare
|
(This is just for master... separate PR's will be coming for backporting changes into /cc @joyent/node-coreteam |
jasnell
force-pushed
the
tls-update-cipher-suite-with-switches
branch
from
025dd75 to
008ccd9
Compare
|
There will be just a couple more updates on this coming soon.. just a few minor late breaking tweaks... |
Add command line switches and environment variables to override the default cipher suite in tls.js `--cipher-list` and `NODE_CIPHER_LIST` can be used to completely override the default cipher list with a given value. `--enable-legacy-cipher-list` and `NODE_LEGACY_CIPHER_LIST` can be used to reset the default cipher list back to a known legacy value shipped in prior Node.js releases A new `getLegacyCiphers` method on the tis module allows programmatic access to the old cipher list defaults.
jasnell
force-pushed
the
tls-update-cipher-suite-with-switches
branch
from
008ccd9 to
12c3a57
Compare
| " set to v0.10.38 to use the v0.10.38 list,\n" | ||
| " set to v0.10.39 to use the v0.10.39 list.\n" | ||
| " set to v0.12.2 to use the v0.12.2 list.\n" | ||
| " set to v0.12.3 to use the v0.12.3 list.\n" |
There was a problem hiding this comment.
I think it would be enough to simply list possible options. users could probably figure out from context that each one corresponds to a given version.
There was a problem hiding this comment.
;) one hopes, yes.
On Apr 3, 2015 1:25 PM, "Trevor Norris" [email protected] wrote:
In src/node.cc
#14383 (comment):@@ -2929,6 +2929,12 @@ static void PrintHelp() {
#endif
" --enable-ssl2 enable ssl2\n"
" --enable-ssl3 enable ssl3\n"
" --cipher-list=val specify the default TLS cipher list\n"" --enable-legacy-cipher-list=val \n"" set to v0.10.38 to use the v0.10.38 list,\n"" set to v0.10.39 to use the v0.10.39 list.\n"" set to v0.12.2 to use the v0.12.2 list.\n"" set to v0.12.3 to use the v0.12.3 list.\n"I think it would be enough to simply list possible options. users could
probably figure out from context that each one corresponds to a given
version.—
Reply to this email directly or view it on GitHub
https://github.com/joyent/node/pull/14383/files#r27753373.
|
Few small things, but looking good. |
Based on commit feedback, make the PrintHelp for --enable-legacy-cipher-list less verbose.
Per the commit feedback, fix up style nits and pass in the isolate with the NODE_DEFINE_STRING_CONSTANT macro.
|
Reviewed for consistency with 0.12 and 0.10 patches looks good. Differences between them also make sense. This looks like changes from original io.js patch plus the changes for 0.10.X and 0.12.X. Will need to squash and ensure final commit comment is less than 50 char limit but otherwise lgtm. |
| @@ -3040,6 +3047,20 @@ static void ParseArgs(int* argc, | |||
| } else if (strcmp(arg, "--v8-options") == 0) { | |||
| new_v8_argv[new_v8_argc] = "--help"; | |||
| new_v8_argc += 1; | |||
| } else if (strncmp(arg, "--cipher-list=", 14) == 0) { | |||
There was a problem hiding this comment.
Could this be done in src/node.js instead of in src/node.cc? It seems it would just be less error prone and shorter.
|
@jasnell Added some comments, sorry again for taking so long in reviewing this! |
|
@jasnell Running the tests suite in |
|
@jasnell All tests in |
|
+1... my time tonight is disappearing quick so I will work on landing these On Tue, Apr 7, 2015 at 5:42 PM, Julien Gilli [email protected]
|
typo and unnecessary options init
Port of io.js commit: nodejs/node@77f3586 Original commit message: This updates the default cipher suite to an more secure list, which prefers strong ciphers with Forward Secrecy. Additionally, it enables `honorCipherOrder` by default. Noteable effect of this change is that the insecure RC4 ciphers are disabled and that Chrome negotiates a more secure ECDHE cipher. Reviewed-By: James M Snell <[email protected]> PR-URL: #14383
Add command line switches and environment variables to override the default cipher suite in tls.js `--cipher-list` and `NODE_CIPHER_LIST` can be used to completely override the default cipher list with a given value. `--enable-legacy-cipher-list` and `NODE_LEGACY_CIPHER_LIST` can be used to reset the default cipher list back to a known legacy value shipped in prior Node.js releases A new `getLegacyCiphers` method on the tis module allows programmatic access to the old cipher list defaults. Reviewed-By: James M Snell <[email protected]> PR-URL: #14383
Based on commit feedback, make the PrintHelp for --enable-legacy-cipher-list less verbose. Reviewed-By: James M Snell <[email protected]> PR-URL: #14383
Per the commit feedback, fix up style nits and pass in the isolate with the NODE_DEFINE_STRING_CONSTANT macro. Reviewed-By: James M Snell <[email protected]> PR-URL: #14383
typo and unnecessary options init Reviewed-By: James M Snell <[email protected]> PR-URL: #14383
|
Landed |
--cipher-listand--enable-legacy-cipher-listcommand line switches.--cipher-listallows a new default cipher list to be specified--enable-legacy-cipher-listtells node to use specific older cipher listsNODE_CIPHER_LISTandNODE_LEGACY_CIPHER_LISTenvironment variables as alternatives to the command line switches
getLegacyCiphersmethod to the TLS module