Lines 465-470
void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
Link Here
|
465 |
SSL_SESS_CACHE_NO_AUTO_CLEAR); |
465 |
SSL_SESS_CACHE_NO_AUTO_CLEAR); |
466 |
|
466 |
|
467 |
SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version); |
467 |
SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version); |
|
|
468 |
|
469 |
if (max_version == 0) { |
470 |
// Selecting some secureProtocol methods allows the TLS version to be "any |
471 |
// supported", but we don't support TLSv1.3, even if OpenSSL does. |
472 |
max_version = TLS1_2_VERSION; |
473 |
} |
468 |
SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version); |
474 |
SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version); |
469 |
// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was |
475 |
// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was |
470 |
// exposed in the public API. To retain compatibility, install a callback |
476 |
// exposed in the public API. To retain compatibility, install a callback |
Lines 888-894
void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
Link Here
|
888 |
|
894 |
|
889 |
THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers"); |
895 |
THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers"); |
890 |
|
896 |
|
|
|
897 |
// Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl |
898 |
// 1.1.1, set_cipher_list() is for TLSv1.2 and earlier. |
899 |
// |
900 |
// In openssl 1.1.0, set_cipher_list() would error if it resulted in no |
901 |
// TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support. |
902 |
// |
903 |
// In openssl 1.1.1, set_cipher_list() will not error if it results in no |
904 |
// TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there |
905 |
// are by default. There will be an error later, during the handshake, but |
906 |
// that results in an async error event, rather than a sync error thrown, |
907 |
// which is a semver-major change for the tls API. |
908 |
// |
909 |
// Since we don't currently support TLSv1.3, work around this by removing the |
910 |
// TLSv1.3 cipher suites, so we get backwards compatible synchronous errors. |
891 |
const node::Utf8Value ciphers(args.GetIsolate(), args[0]); |
911 |
const node::Utf8Value ciphers(args.GetIsolate(), args[0]); |
|
|
912 |
#ifdef TLS1_3_VERSION |
913 |
SSL_CTX_set_ciphersuites(sc->ctx_.get(), ""); |
914 |
#endif |
892 |
SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers); |
915 |
SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers); |
893 |
} |
916 |
} |
894 |
|
917 |
|