Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 555900 Details for
Bug 670574
net-libs/nodejs depends on =dev-libs/openssl-1.1.0*
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
nodejs-10.13.0-openssl-compat.patch
nodejs-10.13.0-openssl-compat.patch (text/plain), 8.51 KB, created by
Guillaume Ceccarelli
on 2018-11-21 18:46:53 UTC
(
hide
)
Description:
nodejs-10.13.0-openssl-compat.patch
Filename:
MIME Type:
Creator:
Guillaume Ceccarelli
Created:
2018-11-21 18:46:53 UTC
Size:
8.51 KB
patch
obsolete
>diff --git a/doc/api/tls.md b/doc/api/tls.md >index fe8bfa27ef..3eec7d1e71 100644 >--- a/doc/api/tls.md >+++ b/doc/api/tls.md >@@ -1028,6 +1028,10 @@ changes: > pr-url: https://github.com/nodejs/node/pull/4099 > description: The `ca` option can now be a single string containing multiple > CA certificates. >+ - version: XXX >+ pr-url: XXX >+ description: The `min_version` and `max_version` can be used to restrict >+ the allowed TLS protocol versions. > --> > > * `options` {Object} >@@ -1086,6 +1090,16 @@ changes: > passphrase: <string>]}`. The object form can only occur in an array. > `object.passphrase` is optional. Encrypted keys will be decrypted with > `object.passphrase` if provided, or `options.passphrase` if it is not. >+ * `max_version`: Maximum TLS version to allow. One of `'TLSv1.3'`, `TLSv1.2'`, >+ `'TLSv1.1'`, or `'TLSv1'`. Optional, defaults to `'TLSv1.2'`. Note that >+ TLS1.3 is not currently supported, do not attempt to allow it. If >+ `secureProtocol` is used to select a specific protocol version, >+ `max_version` will be ignored. >+ * `min_version`: Minimum TLS version to allow. One of `'TLSv1.3'`, `TLSv1.2'`, >+ `'TLSv1.1'`, or `'TLSv1'`. Optional, defaults to `'TLSv1'`. Note that >+ TLS1.3 is not currently supported, do not attempt to allow it. If >+ `secureProtocol` is used to select a specific protocol version, >+ `min_version` will be ignored. > * `passphrase` {string} Shared passphrase used for a single private key and/or > a PFX. > * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded >diff --git a/lib/_tls_common.js b/lib/_tls_common.js >index 60995278a3..8c8397c240 100644 >--- a/lib/_tls_common.js >+++ b/lib/_tls_common.js >@@ -36,9 +36,11 @@ var crypto = null; > > const { SecureContext: NativeSecureContext } = process.binding('crypto'); > >-function SecureContext(secureProtocol, secureOptions, context) { >+function SecureContext(secureProtocol, secureOptions, context, min_version, >+ max_version) { > if (!(this instanceof SecureContext)) { >- return new SecureContext(secureProtocol, secureOptions, context); >+ return new SecureContext(secureProtocol, secureOptions, context, >+ min_version, max_version); > } > > if (context) { >@@ -47,9 +49,9 @@ function SecureContext(secureProtocol, secureOptions, context) { > this.context = new NativeSecureContext(); > > if (secureProtocol) { >- this.context.init(secureProtocol); >+ this.context.init(min_version, max_version, secureProtocol); > } else { >- this.context.init(); >+ this.context.init(min_version, max_version); > } > } > >@@ -76,7 +78,9 @@ exports.createSecureContext = function createSecureContext(options, context) { > if (options.honorCipherOrder) > secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; > >- const c = new SecureContext(options.secureProtocol, secureOptions, context); >+ const c = new SecureContext(options.secureProtocol, secureOptions, context, >+ options.min_version || tls.DEFAULT_MIN_VERSION, >+ options.max_version || tls.DEFAULT_MAX_VERSION); > var i; > var val; > >diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js >index 0c3c0e3cfc..bd3f969b69 100644 >--- a/lib/_tls_wrap.js >+++ b/lib/_tls_wrap.js >@@ -875,6 +875,8 @@ function Server(options, listener) { > ciphers: this.ciphers, > ecdhCurve: this.ecdhCurve, > dhparam: this.dhparam, >+ min_version: this.min_version, >+ max_version: this.max_version, > secureProtocol: this.secureProtocol, > secureOptions: this.secureOptions, > honorCipherOrder: this.honorCipherOrder, >@@ -946,6 +948,18 @@ Server.prototype.setOptions = function(options) { > if (options.clientCertEngine) > this.clientCertEngine = options.clientCertEngine; > if (options.ca) this.ca = options.ca; >+ if (options.min_version) this.min_version = options.min_version; >+ if (options.max_version) this.max_version = options.max_version; >+ if (options.min_version) >+ this.min_version = options.min_version; >+ else >+ this.min_version = undefined; >+ >+ if (options.max_version) >+ this.max_version = options.max_version; >+ else >+ this.max_version = undefined; >+ > if (options.secureProtocol) this.secureProtocol = options.secureProtocol; > if (options.crl) this.crl = options.crl; > if (options.ciphers) this.ciphers = options.ciphers; >diff --git a/lib/https.js b/lib/https.js >index 15970c182e..e09193d1b1 100644 >--- a/lib/https.js >+++ b/lib/https.js >@@ -187,6 +187,14 @@ Agent.prototype.getName = function getName(options) { > if (options.servername && options.servername !== options.host) > name += options.servername; > >+ name += ':'; >+ if (options.min_version) >+ name += options.min_version; >+ >+ name += ':'; >+ if (options.max_version) >+ name += options.max_version; >+ > name += ':'; > if (options.secureProtocol) > name += options.secureProtocol; >diff --git a/lib/tls.js b/lib/tls.js >index ad75207141..d63981334a 100644 >--- a/lib/tls.js >+++ b/lib/tls.js >@@ -49,6 +49,14 @@ exports.DEFAULT_CIPHERS = > > exports.DEFAULT_ECDH_CURVE = 'auto'; > >+// Disable TLS1.3 by default. The only reason for enabling it for now is to work >+// on fixing cipher suite incompatibilities with TLS1.2 that prevent node from >+// working with TLS1.3 in OpenSSL 1.1.1. >+exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; >+ >+exports.DEFAULT_MIN_VERSION = 'TLSv1'; >+ >+ > exports.getCiphers = internalUtil.cachedResult( > () => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true) > ); >diff --git a/src/node_crypto.cc b/src/node_crypto.cc >index 69d48b8c9a..72ad9432c2 100644 >--- a/src/node_crypto.cc >+++ b/src/node_crypto.cc >@@ -371,6 +371,24 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) { > } > > >+int string_to_tls_protocol(const char* version_str) { >+ int version; >+ >+ if (strcmp(version_str, "TLSv1.3") == 0) { >+ version = TLS1_3_VERSION; >+ } else if (strcmp(version_str, "TLSv1.2") == 0) { >+ version = TLS1_2_VERSION; >+ } else if (strcmp(version_str, "TLSv1.1") == 0) { >+ version = TLS1_1_VERSION; >+ } else if (strcmp(version_str, "TLSv1") == 0) { >+ version = TLS1_VERSION; >+ } else { >+ version = 0; >+ } >+ return version; >+} >+ >+ > void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { > SecureContext* sc; > ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); >@@ -378,10 +396,21 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { > > int min_version = 0; > int max_version = 0; >+ >+ if (args[0]->IsString()) { >+ const node::Utf8Value min(env->isolate(), args[0]); >+ min_version = string_to_tls_protocol(*min); >+ } >+ >+ if (args[1]->IsString()) { >+ const node::Utf8Value max(env->isolate(), args[1]); >+ max_version = string_to_tls_protocol(*max); >+ } >+ > const SSL_METHOD* method = TLS_method(); > >- if (args.Length() == 1 && args[0]->IsString()) { >- const node::Utf8Value sslmethod(env->isolate(), args[0]); >+ if (args.Length() == 3 && args[2]->IsString()) { >+ const node::Utf8Value sslmethod(env->isolate(), args[2]); > > // Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends > // are still accepted. They are OpenSSL's way of saying that all known >diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc >index 6577ffd3ec..ee0e2c6a23 100644 >--- a/src/tls_wrap.cc >+++ b/src/tls_wrap.cc >@@ -227,7 +227,10 @@ void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) { > } > } > >- if (where & SSL_CB_HANDSHAKE_DONE) { >+ // SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called >+ // sending HelloRequest in OpenSSL-1.1.1. >+ // We need to check whether this is in a renegotiation state or not. >+ if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) { > c->established_ = true; > Local<Value> callback = object->Get(env->onhandshakedone_string()); > if (callback->IsFunction()) { >diff --git a/test/parallel/test-https-agent-getname.js b/test/parallel/test-https-agent-getname.js >index c29e09731d..d27763c215 100644 >--- a/test/parallel/test-https-agent-getname.js >+++ b/test/parallel/test-https-agent-getname.js >@@ -12,7 +12,7 @@ const agent = new https.Agent(); > // empty options > assert.strictEqual( > agent.getName({}), >- 'localhost:::::::::::::::::' >+ 'localhost:::::::::::::::::::' > ); > > // pass all options arguments >@@ -39,5 +39,5 @@ const options = { > assert.strictEqual( > agent.getName(options), > '0.0.0.0:443:192.168.1.1:ca:cert::ciphers:key:pfx:false:localhost:' + >- 'secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext' >+ '::secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext' > );
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=555900">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 670574
:
555616
|
555688
|
555690
|
555896
|
555900
|
555902
|
557092
|
557094
