Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: adding tls.createServer secureOptions section #9340

Closed
wants to merge 1 commit into from
+6 −0
Closed

doc: adding tls.createServer secureOptions section #9340

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1027,6 +1027,11 @@ added: v0.3.2
force SSL version 3. The possible values depend on the version of OpenSSL
installed in the environment and are defined in the constant
[SSL_METHODS][].
* `secureOptions` {number} The options via bitmask affecting the protocol
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bitmask affecting the protocol....

Please describe the default value/behaviour when not specified.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm having trouble determining how to specify the default behavior because I'm unsure whether we want to disclose the underlying implementation to the user. The setting itself doesn't really default to anything; however, SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 are always set on the SSL context; and _tls_common.createSecureContext is adding SSL_OP_CIPHER_SERVER_PREFERENCE if the honorCipherOrder options is true. Is this something that we wish to describe to the user in this section?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 always set on the SSL context, can you reference where?

Please review https://github.com/nodejs/node/pull/9800/files, I think I document this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SecureContext itself appears to always be setting these here: https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L398

I have no issues with your PR, and think the documentation you did is sufficient. Feel free to close this one.

behavior of SSL. This can be used to limit the versions of SSL/TLS, e.q.
`crypto.constants.SSL_OP_NO_TLSv1 | crypto.constants.SSL_OP_NO_TLSv1_1` to
deny TLSv1 and TLSv1.1 connections. For more details, see
[OpenSSL Options][].
* `secureConnectionListener` {Function}

Creates a new [tls.Server][]. The `secureConnectionListener`, if provided, is
Expand Down Expand Up @@ -1279,3 +1284,4 @@ where `secure_socket` has the same API as `pair.cleartext`.
[`tls.TLSSocket.getPeerCertificate()`]: #tls_tlssocket_getpeercertificate_detailed
[`tls.createSecureContext()`]: #tls_tls_createsecurecontext_options
[`tls.connect()`]: #tls_tls_connect_options_callback
[OpenSSL Options]: crypto.html#crypto_openssl_options