-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: adding tls.createServer secureOptions section #9340
Conversation
@@ -1027,6 +1027,11 @@ added: v0.3.2 | |||
force SSL version 3. The possible values depend on the version of OpenSSL | |||
installed in the environment and are defined in the constant | |||
[SSL_METHODS][]. | |||
* `secureOptions` {number} The options via bitmask affecting the protocol |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bitmask affecting the protocol....
Please describe the default value/behaviour when not specified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm having trouble determining how to specify the default behavior because I'm unsure whether we want to disclose the underlying implementation to the user. The setting itself doesn't really default to anything; however, SSL_OP_NO_SSLv2
and SSL_OP_NO_SSLv3
are always set on the SSL context; and _tls_common.createSecureContext
is adding SSL_OP_CIPHER_SERVER_PREFERENCE
if the honorCipherOrder
options is true. Is this something that we wish to describe to the user in this section?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 always set on the SSL context, can you reference where?
Please review https://github.com/nodejs/node/pull/9800/files, I think I document this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SecureContext itself appears to always be setting these here: https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L398
I have no issues with your PR, and think the documentation you did is sufficient. Feel free to close this one.
behavior of SSL. This can be used to limit the versions of SSL/TLS, e.q. | ||
`crypto.constants.SSL_OP_NO_TLSv1 | crypto.constants.SSL_OP_NO_TLSv1_1` to | ||
deny TLSv1 and TLSv1.1 connections. For more details, see | ||
[Crypto Constants][]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are no more details in the Crypto Constants section! There are actually three sections, and I can't tell which of the options from which of the sections are actually allowed to be specified as a secureOption
. Probably there should be a specific section for the options that are allowed in secureOptions
, unless they all are? Or can the options that are valid for secureOptions
be used in other places?
Definitely needs docs, two thumbs up for that, but these docs aren't quite complete enough to describe how to use the |
ping @kobelb |
@silverwind I'll try and get something together to address the comments early next week |
43f4705
to
59538eb
Compare
There's now another PR that adds this option: 32c15c9 @sam-github what shall we do with this one? |
Author agrees this can be closed #9340 (comment) |
Checklist
Affected core subsystem(s)
doc
Description of change
Adding documentation for the tls.createServer secureOptions.
Resolves: #9025