Attachment #557094 for bug #670574





#### OpenSSL asm support

OpenSSL-1.1.1 requires the following assembler version for use of asm
support on x86_64 and ia32.

For use of AVX-512,

* gas (GNU assembler) version 2.26 or higher
* nasm version 2.11.8 or higher in Windows

Note that AVX-512 is disabled for Skylake-X by OpenSSL-1.1.1.

For use of AVX2,

* gas (GNU assembler) version 2.23 or higher
* Xcode version 5.0 or higher
* llvm version 3.3 or higher
* nasm version 2.10 or higher in Windows

Please refer to
`--openssl-no-asm` flag. Otherwise, `configure` will fail.

The forthcoming OpenSSL-1.1.1 will have different requirements. Please refer to
 https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for details.

 If compiling without one of the above, use `configure` with the
`--openssl-no-asm` flag. Otherwise, `configure` will fail.

## Building Node.js on supported platforms

The [bootstrapping guide](https://github.com/nodejs/node/blob/master/tools/bootstrap/README.md)

Lines 485-490 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { Link Here

(-)a/src/node_crypto.cc (-1 / +25 lines)
485	SSL_SESS_CACHE_NO_AUTO_CLEAR);	485	SSL_SESS_CACHE_NO_AUTO_CLEAR);
486		486
487	SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);	487	SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);
		488
		489	if (max_version == 0) {
		490	// Selecting some secureProtocol methods allows the TLS version to be "any
		491	// supported", but we don't support TLSv1.3, even if OpenSSL does.
		492	max_version = TLS1_2_VERSION;
		493	}
488	SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);	494	SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
489	// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was	495	// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
490	// exposed in the public API. To retain compatibility, install a callback	496	// exposed in the public API. To retain compatibility, install a callback
Lines 906-913 void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) { Link Here
906		912
907	THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");	913	THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");
908		914
		915	// Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl
		916	// 1.1.1, set_cipher_list() is for TLSv1.2 and earlier.
		917	//
		918	// In openssl 1.1.0, set_cipher_list() would error if it resulted in no
		919	// TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support.
		920	//
		921	// In openssl 1.1.1, set_cipher_list() will not error if it results in no
		922	// TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there
		923	// are by default. There will be an error later, during the handshake, but
		924	// that results in an async error event, rather than a sync error thrown,
		925	// which is a semver-major change for the tls API.
		926	//
		927	// Since we don't currently support TLSv1.3, work around this by removing the
		928	// TLSv1.3 cipher suites, so we get backwards compatible synchronous errors.
909	const node::Utf8Value ciphers(args.GetIsolate(), args[0]);	929	const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
910	if (!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {	930	if (
		931	#ifdef TLS1_3_VERSION
		932	!SSL_CTX_set_ciphersuites(sc->ctx_.get(), "") \|\|
		933	#endif
		934	!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
911	unsigned long err = ERR_get_error(); // NOLINT(runtime/int)	935	unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
912	if (!err) {	936	if (!err) {
913	return env->ThrowError("Failed to set ciphers");	937	return env->ThrowError("Failed to set ciphers");

Lines 222-228 void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) { Link Here

(-)a/src/tls_wrap.cc (-1 / +4 lines)
222	}	222	}
223	}	223	}
224		224
225	if (where & SSL_CB_HANDSHAKE_DONE) {	225	// SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called
		226	// sending HelloRequest in OpenSSL-1.1.1.
		227	// We need to check whether this is in a renegotiation state or not.
		228	if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) {
226	Local<Value> callback;	229	Local<Value> callback;
227		230
228	c->established_ = true;	231	c->established_ = true;




'use strict';
const common = require('../common');

if (!common.hasCrypto)
  common.skip('missing crypto');

const assert = require('assert');
const tls = require('tls');
const fixtures = require('../common/fixtures');

{
  const options = {
    key: fixtures.readKey('agent2-key.pem'),
    cert: fixtures.readKey('agent2-cert.pem'),
    ciphers: 'aes256-sha'
  };
  assert.throws(() => tls.createServer(options, common.mustNotCall()),
                /no cipher match/i);
  options.ciphers = 'FOOBARBAZ';
  assert.throws(() => tls.createServer(options, common.mustNotCall()),
                /no cipher match/i);
}

Return to bug 670574

Lines 130-149 Depending on the host platform, the selection of toolchains may vary. Link Here

(-)a/BUILDING.md (-5 / +14 lines)
130		130
131	#### OpenSSL asm support	131	#### OpenSSL asm support
132		132
133	OpenSSL-1.1.0 requires the following assembler version for use of asm	133	OpenSSL-1.1.1 requires the following assembler version for use of asm
134	support on x86_64 and ia32.	134	support on x86_64 and ia32.
135		135
		136	For use of AVX-512,
		137
		138	* gas (GNU assembler) version 2.26 or higher
		139	* nasm version 2.11.8 or higher in Windows
		140
		141	Note that AVX-512 is disabled for Skylake-X by OpenSSL-1.1.1.
		142
		143	For use of AVX2,
		144
136	* gas (GNU assembler) version 2.23 or higher	145	* gas (GNU assembler) version 2.23 or higher
137	* Xcode version 5.0 or higher	146	* Xcode version 5.0 or higher
138	* llvm version 3.3 or higher	147	* llvm version 3.3 or higher
139	* nasm version 2.10 or higher in Windows	148	* nasm version 2.10 or higher in Windows
140		149
141	If compiling without one of the above, use `configure` with the	150	Please refer to
142	`--openssl-no-asm` flag. Otherwise, `configure` will fail.
143
144	The forthcoming OpenSSL-1.1.1 will have different requirements. Please refer to
145	https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for details.	151	https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for details.
146		152
		153	If compiling without one of the above, use `configure` with the
		154	`--openssl-no-asm` flag. Otherwise, `configure` will fail.
		155
147	## Building Node.js on supported platforms	156	## Building Node.js on supported platforms
148		157
149	The [bootstrapping guide](https://github.com/nodejs/node/blob/master/tools/bootstrap/README.md)	158	The [bootstrapping guide](https://github.com/nodejs/node/blob/master/tools/bootstrap/README.md)

Lines 1-22 Link Here

(-)a/test/parallel/test-tls-set-ciphers-error.js (-22 lines)
1	'use strict';
2	const common = require('../common');
3
4	if (!common.hasCrypto)
5	common.skip('missing crypto');
6
7	const assert = require('assert');
8	const tls = require('tls');
9	const fixtures = require('../common/fixtures');
10
11	{
12	const options = {
13	key: fixtures.readKey('agent2-key.pem'),
14	cert: fixtures.readKey('agent2-cert.pem'),
15	ciphers: 'aes256-sha'
16	};
17	assert.throws(() => tls.createServer(options, common.mustNotCall()),
18	/no cipher match/i);
19	options.ciphers = 'FOOBARBAZ';
20	assert.throws(() => tls.createServer(options, common.mustNotCall()),
21	/no cipher match/i);
22	}