Skip to content

Commit

Permalink
doc: remove SSLv2 descriptions
Browse files Browse the repository at this point in the history
Doc descriptions related to SSLv2 are no longer needed.

Fixes: #5529
PR-URL: #5541
Reviewed-By: Ben Noordhuis <[email protected]>
  • Loading branch information
Shigeki Ohtsu committed Mar 3, 2016
1 parent f8cb0dc commit 6db377b
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 15 deletions.
19 changes: 7 additions & 12 deletions doc/api/tls.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -40,24 +40,22 @@ To create .pfx or .p12, do this:

## Protocol support

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
Node.js is compiled with SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by [CVE-2014-3566][]. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `--enable-ssl2` or
`--enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.
If you wish to enable SSLv3, run node with the `--enable-ssl3` flag. In future
versions of Node.js SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `'SSLv3_method'` or `'SSLv2_method'`.
There is a way to force node into using SSLv3 only mode by explicitly
specifying `secureProtocol` to `'SSLv3_method'`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`--enable-ssl3`, or `--enable-ssl2`, or `SSLv3_method` as `secureProtocol`).
by setting the `secureOptions` to be `SSL_OP_NO_SSLv3` (again, unless you have
passed `--enable-ssl3`, or `SSLv3_method` as `secureProtocol`).

If you have set `secureOptions` to anything, we will not override your
options.
Expand Down Expand Up @@ -172,9 +170,6 @@ automatically set as a listener for the [secureConnection][] event. The
- `honorCipherOrder` : When choosing a cipher, use the server's preferences
instead of the client preferences.

Note that if SSLv2 is used, the server will send its list of preferences
to the client, and the client chooses the cipher.

Although, this option is disabled by default, it is *recommended* that you
use this option in conjunction with the `ciphers` option to mitigate
BEAST attacks.
Expand Down
3 changes: 0 additions & 3 deletions doc/node.1
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,6 @@ and servers.

--max-stack-size=val set max v8 stack size (bytes)

--enable-ssl2 enable ssl2 in crypto, tls, and https
modules

--enable-ssl3 enable ssl3 in crypto, tls, and https
modules

Expand Down

0 comments on commit 6db377b

Please sign in to comment.