Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: adding tls.createServer secureOptions section #9340

Closed
wants to merge 1 commit into from

Conversation

kobelb
Copy link
Contributor

@kobelb kobelb commented Oct 28, 2016

Checklist
  • documentation is changed or added
  • commit message follows commit guidelines
Affected core subsystem(s)

doc

Description of change

Adding documentation for the tls.createServer secureOptions.

Resolves: #9025

@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. tls Issues and PRs related to the tls subsystem. labels Oct 28, 2016
@@ -1027,6 +1027,11 @@ added: v0.3.2
force SSL version 3. The possible values depend on the version of OpenSSL
installed in the environment and are defined in the constant
[SSL_METHODS][].
* `secureOptions` {number} The options via bitmask affecting the protocol
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bitmask affecting the protocol....

Please describe the default value/behaviour when not specified.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm having trouble determining how to specify the default behavior because I'm unsure whether we want to disclose the underlying implementation to the user. The setting itself doesn't really default to anything; however, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 are always set on the SSL context; and _tls_common.createSecureContext is adding SSL_OP_CIPHER_SERVER_PREFERENCE if the honorCipherOrder options is true. Is this something that we wish to describe to the user in this section?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 always set on the SSL context, can you reference where?

Please review https://github.com/nodejs/node/pull/9800/files, I think I document this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SecureContext itself appears to always be setting these here: https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L398

I have no issues with your PR, and think the documentation you did is sufficient. Feel free to close this one.

behavior of SSL. This can be used to limit the versions of SSL/TLS, e.q.
`crypto.constants.SSL_OP_NO_TLSv1 | crypto.constants.SSL_OP_NO_TLSv1_1` to
deny TLSv1 and TLSv1.1 connections. For more details, see
[Crypto Constants][].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are no more details in the Crypto Constants section! There are actually three sections, and I can't tell which of the options from which of the sections are actually allowed to be specified as a secureOption. Probably there should be a specific section for the options that are allowed in secureOptions, unless they all are? Or can the options that are valid for secureOptions be used in other places?

@sam-github
Copy link
Contributor

Definitely needs docs, two thumbs up for that, but these docs aren't quite complete enough to describe how to use the secureOptions, see my comments.

@silverwind
Copy link
Contributor

ping @kobelb

@kobelb
Copy link
Contributor Author

kobelb commented Nov 23, 2016

@silverwind I'll try and get something together to address the comments early next week

@kobelb kobelb force-pushed the tls-secure-options branch from 43f4705 to 59538eb Compare November 30, 2016 12:15
@silverwind
Copy link
Contributor

There's now another PR that adds this option: 32c15c9

@sam-github what shall we do with this one?

@sam-github
Copy link
Contributor

Author agrees this can be closed #9340 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants