Attachment #557092 for bug #670574





#### OpenSSL asm support

OpenSSL-1.1.1 requires the following asssembler version for use of asm
support on x86_64 and ia32.

For use of AVX-512,

* gas (GNU assembler) version 2.26 or higher
* nasm version 2.11.8 or higher in Windows

Note that AVX-512 is disabled for Skylake-X by OpenSSL-1.1.1.

For use of AVX2,
 
* gas (GNU assembler) version 2.23 or higher
* xcode version 5.0 or higher
* llvm version 3.3 or higher

either providing a newer assembler as per the list above or by
using the `--openssl-no-asm` flag.

 Please refer to
 version. Please refer
 https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for
 details.


Lines 465-470 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { Link Here

(-)a/src/node_crypto.cc (+23 lines)
465	SSL_SESS_CACHE_NO_AUTO_CLEAR);	465	SSL_SESS_CACHE_NO_AUTO_CLEAR);
466		466
467	SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);	467	SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);
		468
		469	if (max_version == 0) {
		470	// Selecting some secureProtocol methods allows the TLS version to be "any
		471	// supported", but we don't support TLSv1.3, even if OpenSSL does.
		472	max_version = TLS1_2_VERSION;
		473	}
468	SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);	474	SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
469	// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was	475	// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
470	// exposed in the public API. To retain compatibility, install a callback	476	// exposed in the public API. To retain compatibility, install a callback
Lines 888-894 void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) { Link Here
888		894
889	THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");	895	THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");
890		896
		897	// Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl
		898	// 1.1.1, set_cipher_list() is for TLSv1.2 and earlier.
		899	//
		900	// In openssl 1.1.0, set_cipher_list() would error if it resulted in no
		901	// TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support.
		902	//
		903	// In openssl 1.1.1, set_cipher_list() will not error if it results in no
		904	// TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there
		905	// are by default. There will be an error later, during the handshake, but
		906	// that results in an async error event, rather than a sync error thrown,
		907	// which is a semver-major change for the tls API.
		908	//
		909	// Since we don't currently support TLSv1.3, work around this by removing the
		910	// TLSv1.3 cipher suites, so we get backwards compatible synchronous errors.
891	const node::Utf8Value ciphers(args.GetIsolate(), args[0]);	911	const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
		912	#ifdef TLS1_3_VERSION
		913	SSL_CTX_set_ciphersuites(sc->ctx_.get(), "");
		914	#endif
892	SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers);	915	SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers);
893	}	916	}
894		917

Lines 227-233 void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) { Link Here

(-)a/src/tls_wrap.cc (-1 / +4 lines)
227	}	227	}
228	}	228	}
229		229
230	if (where & SSL_CB_HANDSHAKE_DONE) {	230	// SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called
		231	// sending HelloRequest in OpenSSL-1.1.1.
		232	// We need to check whether this is in a renegotiation state or not.
		233	if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) {
231	c->established_ = true;	234	c->established_ = true;
232	Local<Value> callback = object->Get(env->onhandshakedone_string());	235	Local<Value> callback = object->Get(env->onhandshakedone_string());
233	if (callback->IsFunction()) {	236	if (callback->IsFunction()) {

Return to bug 670574

Lines 132-140 Depending on host platform, the selection of toolchains may vary. Link Here

(-)a/BUILDING.md (-3 / +11 lines)
132		132
133	#### OpenSSL asm support	133	#### OpenSSL asm support
134		134
135	OpenSSL-1.1.0 requires the following asssembler version for use of asm	135	OpenSSL-1.1.1 requires the following asssembler version for use of asm
136	support on x86_64 and ia32.	136	support on x86_64 and ia32.
137		137
		138	For use of AVX-512,
		139
		140	* gas (GNU assembler) version 2.26 or higher
		141	* nasm version 2.11.8 or higher in Windows
		142
		143	Note that AVX-512 is disabled for Skylake-X by OpenSSL-1.1.1.
		144
		145	For use of AVX2,
		146
138	* gas (GNU assembler) version 2.23 or higher	147	* gas (GNU assembler) version 2.23 or higher
139	* xcode version 5.0 or higher	148	* xcode version 5.0 or higher
140	* llvm version 3.3 or higher	149	* llvm version 3.3 or higher
Lines 144-151 Otherwise `configure` will fail with an error. This can be avoided by Link Here
144	either providing a newer assembler as per the list above or by	153	either providing a newer assembler as per the list above or by
145	using the `--openssl-no-asm` flag.	154	using the `--openssl-no-asm` flag.
146		155
147	Note: The forthcoming OpenSSL-1.1.1 will require higher	156	Please refer to
148	version. Please refer
149	https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for	157	https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for
150	details.	158	details.
151		159