diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index adfb3305268df0..b8170f1e440309 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -737,6 +737,16 @@ Type: Runtime internal mechanics of the `REPLServer` itself, and is therefore not necessary in user space. + +### DEP0083: Disabling ECDH by setting ecdhCurve to false + +Type: Runtime + +The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could +be set to `false` to disable ECDH entirely on the server only. This mode is +deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with +the client. Use the `ciphers` parameter instead. + [`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size [`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array diff --git a/lib/_tls_common.js b/lib/_tls_common.js index 4196cc084c86c4..75eb6a2ec53449 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -65,6 +65,16 @@ function validateKeyCert(value, type) { exports.SecureContext = SecureContext; +function ecdhCurveWarning() { + if (ecdhCurveWarning.emitted) return; + process.emitWarning('{ ecdhCurve: false } is deprecated.', + 'DeprecationWarning', + 'DEP0083'); + ecdhCurveWarning.emitted = true; +} +ecdhCurveWarning.emitted = false; + + exports.createSecureContext = function createSecureContext(options, context) { if (!options) options = {}; @@ -140,6 +150,8 @@ exports.createSecureContext = function createSecureContext(options, context) { c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE); else if (options.ecdhCurve) c.context.setECDHCurve(options.ecdhCurve); + else + ecdhCurveWarning(); if (options.dhparam) { const warning = c.context.setDHParam(options.dhparam); diff --git a/test/parallel/test-tls-ecdh-disable.js b/test/parallel/test-tls-ecdh-disable.js index 72b51771c87280..af97fbfcdd0492 100644 --- a/test/parallel/test-tls-ecdh-disable.js +++ b/test/parallel/test-tls-ecdh-disable.js @@ -31,6 +31,11 @@ if (!common.hasCrypto) if (!common.opensslCli) common.skip('missing openssl-cli'); +const OPENSSL_VERSION_NUMBER = + require('crypto').constants.OPENSSL_VERSION_NUMBER; +if (OPENSSL_VERSION_NUMBER >= 0x10100000) + common.skip('false ecdhCurve not supported in OpenSSL 1.1.0'); + const assert = require('assert'); const tls = require('tls'); const exec = require('child_process').exec; @@ -42,6 +47,9 @@ const options = { ecdhCurve: false }; +common.expectWarning('DeprecationWarning', + '{ ecdhCurve: false } is deprecated.'); + const server = tls.createServer(options, common.mustNotCall()); server.listen(0, '127.0.0.1', common.mustCall(function() {