-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS1.3 support #26209
TLS1.3 support #26209
Conversation
@bnoordhuis note that I renamed the CLI options you introduced in #23814 that set the min TLS version, because I added options to limit the max, and I wanted whether it was setting the max or min to be clear. The original options haven't landed anywhere because they came with a change to disable TLS1.0 and 1.1, so that rename shouldn't affect anyone, though I'll have to backport part of #23814 with this PR if/when it gets backported |
dce230a
to
71340f7
Compare
c8be820
to
479fd70
Compare
@@ -1,62 +1,93 @@ | |||
// Copyright Joyent, Inc. and other Node contributors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this OK? I rewrote this test from scratch, but if wanted, I can put the old copyright back in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nodejs/TSC or @jasnell (who was involved in restoring incorrectly removed copyrights early in the io.js days, IIRC)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nodejs/tsc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is fine
b4c65f5
to
5bd81ce
Compare
@nodejs/crypto PTAL A note on the test approach: I tried to make as few changes to the tests as possible, since its supposed to be API almost-compatible. When I had to make significant changes to a test, I often wrapped it, so that the test is run with both TLS1.2 and TLS1.3 as the default (the tests usually negotiate the default max). Since I want to backport this to release lines where TLS1.2 is the default max, I hacked the default max to be TLSv1.2, and ran In theory, the entire test suite could be run with TLS1.2 and 1.3 (and 1.0, and...), but that seemed excessive. If anyone has concerns about specific tests, I can add coverage for them. |
I added I added @nodejs/release @nodejs/lts please adjust if this isn't your expectation. |
First glance This looks good. Will have to go back over in detail before signing off, however. Thank you for working on this |
last one didn't even start, try again: |
// the ciphers and pass them to the appropriate API. | ||
const ciphers = (options.ciphers || tls.DEFAULT_CIPHERS).split(':'); | ||
const cipherList = ciphers.filter((_) => !_.match(/^TLS_/)).join(':'); | ||
const cipherSuites = ciphers.filter((_) => _.match(/^TLS_/)).join(':'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like a complete hack but I'm not sure there's a better way unless we expose two different options for setting the cipher suites.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't think of a better way, and I think two options would be awful. This code may be odd, but its only a couple lines long, and its very robust. We could go the BoringSSL way, and not even allow the TLS1.3 suites to be configurable, but that seems like not such a great idea, either. IoT devs would not be happy.
This introduces TLS1.3 support and makes it the default max protocol, but also supports CLI/NODE_OPTIONS switches to disable it if necessary. TLS1.3 is a major update to the TLS protocol, with many security enhancements. It should be preferred over TLS1.2 whenever possible. TLS1.3 is different enough that even though the OpenSSL APIs are technically API/ABI compatible, that when TLS1.3 is negotiated, the timing of protocol records and of callbacks broke assumptions hard-coded into the 'tls' module. This change introduces no API incompatibilities when TLS1.2 is negotiated. It is the intention that it be backported to current and LTS release lines with the default maximum TLS protocol reset to 'TLSv1.2'. This will allow users of those lines to explicitly enable TLS1.3 if they want. API incompatibilities between TLS1.2 and TLS1.3 are: - Renegotiation is not supported by TLS1.3 protocol, attempts to call `.renegotiate()` will always fail. - Compiling against a system OpenSSL lower than 1.1.1 is no longer supported (OpenSSL-1.1.0 used to be supported with configure flags). - Variations of `conn.write('data'); conn.destroy()` have undefined behaviour according to the streams API. They may or may not send the 'data', and may or may not cause a ERR_STREAM_DESTROYED error to be emitted. This has always been true, but conditions under which the write suceeds is slightly but observably different when TLS1.3 is negotiated vs when TLS1.2 or below is negotiated. - If TLS1.3 is negotiated, and a server calls `conn.end()` in its 'secureConnection' listener without any data being written, the client will not receive session tickets (no 'session' events will be emitted, and `conn.getSession()` will never return a resumable session). - The return value of `conn.getSession()` API may not return a resumable session if called right after the handshake. The effect will be that clients using the legacy `getSession()` API will resume sessions if TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is negotiated. See #25831 for more information. Backport-PR-URL: #26951 PR-URL: #26209 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
Notable changes: * deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794) * src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093) * tls: * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951) * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951) * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951) * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951) * support TLSv1.3 (Sam Roberts) [#26209](#26209) * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)
Notable changes: * deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794) * src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093) * tls: * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951) * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951) * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951) * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951) * support TLSv1.3 (Sam Roberts) [#26209](#26209) * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)
Notable changes: * assert: * improve performance to instantiate errors (Ruben Bridgewater) [#26738](#26738) * validate required arguments (Ruben Bridgewater) [#26641](#26641) * adjust loose assertions (Ruben Bridgewater) [#25008](#25008) * async_hooks: * remove deprecated emitBefore and emitAfter (Matteo Collina) [#26530](#26530) * remove promise object from resource (Andreas Madsen) [#23443](#23443) * bootstrap * make Buffer and process non-enumerable (Ruben Bridgewater) [#24874](#24874) * buffer: * use stricter range checks (Ruben Bridgewater) [#27045](#27045) * harden SlowBuffer creation (ZYSzys) [#26272](#26272) * harden validation of buffer allocation size (ZYSzys) [#26162](#26162) * do proper error propagation in addon methods (Anna Henningsen) [#23939](#23939) * child_process: * change the defaults maxBuffer size (kohta ito) [#27179](#27179) * harden fork arguments validation (ZYSzys) [#27039](#27039) * use non-infinite maxBuffer defaults (kohta ito) [#23027](#23027) * console: * don't use ANSI escape codes when TERM=dumb (Vladislav Kaminsky) [#26261](#26261) * crypto: * remove legacy native handles (Tobias Nießen) [#27011](#27011) * decode missing passphrase errors (Tobias Nießen) [#25208](#25208) * move DEP0113 to End-of-Life (Tobias Nießen) [#26249](#26249) * remove deprecated crypto.\_toBuf (Tobias Nießen) [#25338](#25338) * set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](#23222) * deps: * silence irrelevant V8 warning (Michaël Zasso) [#26685](#26685) * update postmortem metadata generation script (cjihrig) [#26685](#26685) * V8: un-cherry-pick bd019bd (Refael Ackermann) [#26685](#26685) * V8: cherry-pick 6 commits (Michaël Zasso) [#26685](#26685) * V8: cherry-pick d82c9af (Anna Henningsen) [#26685](#26685) * V8: cherry-pick e5f01ba (Anna Henningsen) [#26685](#26685) * V8: cherry-pick d5f08e4 (Anna Henningsen) [#26685](#26685) * V8: cherry-pick 6b09d21 (Anna Henningsen) [#26685](#26685) * V8: cherry-pick f0bb5d2 (Anna Henningsen) [#26685](#26685) * V8: cherry-pick 5b0510d (Anna Henningsen) [#26685](#26685) * V8: cherry-pick 91f0cd0 (Anna Henningsen) [#26685](#26685) * V8: cherry-pick 392316d (Anna Henningsen) [#26685](#26685) * V8: cherry-pick 2f79d68 (Anna Henningsen) [#26685](#26685) * sync V8 gypfiles with 7.4 (Ujjwal Sharma) [#26685](#26685) * update V8 to 7.4.288.13 (Ujjwal Sharma) [#26685](#26685) * bump minimum icu version to 63 (Ujjwal Sharma) [#25852](#25852) * silence irrelevant V8 warnings (Michaël Zasso) [#25852](#25852) * V8: cherry-pick 7803fa6 (Jon Kunkee) [#25852](#25852) * V8: cherry-pick 58cefed (Jon Kunkee) [#25852](#25852) * V8: cherry-pick d3308d0 (Michaël Zasso) [#25852](#25852) * V8: cherry-pick 74571c8 (Michaël Zasso) [#25852](#25852) * cherry-pick fc0ddf5 from upstream V8 (Anna Henningsen) [#25852](#25852) * sync V8 gypfiles with 7.3 (Ujjwal Sharma) [#25852](#25852) * sync V8 gypfiles with 7.2 (Michaël Zasso) [#25852](#25852) * update V8 to 7.3.492.25 (Michaël Zasso) [#25852](#25852) * add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794) * sync V8 gypfiles with 7.1 (Refael Ackermann) [#23423](#23423) * update V8 to 7.1.302.28 (Michaël Zasso) [#23423](#23423) * doc: * update behaviour of fs.writeFile (Sakthipriyan Vairamani (thefourtheye)) [#25080](#25080) * add internal functionality details of util.inherits (Ruben Bridgewater) [#24755](#24755) * errors: * update error name (Ruben Bridgewater) [#26738](#26738) * fs: * use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](#26690) * improve mode validation (Ruben Bridgewater) [#26575](#26575) * harden validation of start option in createWriteStream (ZYSzys) [#25579](#25579) * make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](#23709) * http: * validate timeout in ClientRequest() (cjihrig) [#26214](#26214) * return HTTP 431 on HPE\_HEADER\_OVERFLOW error (Albert Still) [#25605](#25605) * switch default parser to llhttp (Anna Henningsen) [#24870](#24870) * change DEP0066 to a runtime deprecation (Morgan Roderick) [#24167](#24167) * else case is not reachable (szabolcsit) [#24176](#24176) * lib: * move DEP0021 to end of life (cjihrig) [#27127](#27127) * remove Atomics.wake (Gus Caplan) [#27033](#27033) * validate Error.captureStackTrace() calls (Ruben Bridgewater) [#26738](#26738) * refactor Error.captureStackTrace() usage (Ruben Bridgewater) [#26738](#26738) * move DTRACE\_\* probes out of global scope (James M Snell) [#26541](#26541) * deprecate \_stream\_wrap (Sam Roberts) [#26245] (#26245) * don't use `util.inspect()` internals (Ruben Bridgewater) [#24971](#24971) * improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](#25690) * requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](#25690) * move DEP0029 to end of life (cjihrig) [#25377](#25377) * move DEP0028 to end of life (cjihrig) [#25377](#25377) * move DEP0027 to end of life (cjihrig) [#25377](#25377) * move DEP0026 to end of life (cjihrig) [#25377](#25377) * move DEP0023 to end of life (cjihrig) [#25280](#25280) * move DEP0006 to end of life (cjihrig) [#25279](#25279) * remove unintended access to deps/ (Anna Henningsen) [#25138](#25138) * move DEP0120 to end of life (cjihrig) [#24862](#24862) * use ES6 class inheritance style (Ruben Bridgewater) [#24755](#24755) * remove `inherits()` usage (Ruben Bridgewater) [#24755](#24755) * module: * remove dead code (Ruben Bridgewater) [#26983](#26983) * mark DEP0019 as End-of-Life (Ruben Bridgewater) [#26973](#26973) * throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](#26823) * don't search in require.resolve.paths (cjihrig) [#23683](#23683) * n-api: * remove code from error name (Ruben Bridgewater) [#26738](#26738) * net: * do not manipulate potential user code (Ruben Bridgewater) [#26751](#26751) * emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](#24457) * deprecate \_setSimultaneousAccepts() undocumented function (James M Snell) [#23760](#23760) * net,http2: * merge setTimeout code (ZYSzys) [#25084](#25084) * os: * implement os.type() using uv\_os\_uname() (cjihrig) [#25659](#25659) * process: * global.process, global.Buffer getters (Guy Bedford) [#26882](#26882) * move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](#25828) * exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](#25828) * improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](#24965) * readline: * support TERM=dumb (Vladislav Kaminsky) [#26261](#26261) * repl: * add welcome message (gengjiawen) [#25947](#25947) * fix terminal default setting (Ruben Bridgewater) [#26518](#26518) * check colors with .getColorDepth() (Vladislav Kaminsky) [#26261](#26261) * deprecate REPLServer.rli (Ruben Bridgewater) [#26260](#26260) * src: * remove unused INT\_MAX constant (Sam Roberts) [#27078](#27078) * update NODE\_MODULE\_VERSION to 72 (Ujjwal Sharma) [#26685](#26685) * remove `AddPromiseHook()` (Anna Henningsen) [#26574](#26574) * update NODE\_MODULE\_VERSION to 71 (Michaël Zasso) [#25852](#25852) * clean up MultiIsolatePlatform interface (Anna Henningsen) [#26384](#26384) * properly configure default heap limits (Ali Ijaz Sheikh) [#25576](#25576) * remove icuDataDir from node config (GauthamBanasandra) [#24780](#24780) * explicitly allow JS in ReadHostObject (Yang Guo) [#23423](#23423) * update postmortem constant (cjihrig) [#23423](#23423) * update NODE\_MODULE\_VERSION to 68 (Michaël Zasso) [#23423](#23423) * tls: * support TLSv1.3 (Sam Roberts) [#26209](#26209) * return correct version from getCipher() (Sam Roberts) [#26625](#26625) * check arg types of renegotiate() (Sam Roberts) [#25876](#25876) * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729) * emit a warning when servername is an IP address (Rodger Combs) [#23329](#23329) * disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](#23814) * remove unused arg to createSecureContext() (Sam Roberts) [#24241](#24241) * deprecate Server.prototype.setOptions() (cjihrig)[ #23820](#23820) * load NODE\_EXTRA\_CA\_CERTS at startup (Ouyang Yadong) [#23354](#23354) * util: * change inspect compact and breakLength default (Ruben Bridgewater) [#27109](#27109) * improve inspect edge cases (Ruben Bridgewater) [#27109](#27109) * only the first line of the error message (Simon Zünd) [#26685](#26685) * don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](#26893) * rename callbackified function (Ruben Bridgewater) [#26893](#26893) * increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](#26893) * prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](#26577) * fix proxy inspection (Ruben Bridgewater) [#26241](#26241) * prevent leaking internal properties (Ruben Bridgewater) [#24971](#24971) * protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](#25953) * treat format arguments equally (Roman Reiss) [#23162](#23162) * win, fs: * detect if symlink target is a directory (Bartosz Sosnowski) [#23724](#23724) * zlib: * throw TypeError if callback is missing (Anna Henningsen)[ #24929](#24929) * make “bare” constants un-enumerable (Anna Henningsen) [#24824](#24824) PR-URL: #26930
Notable changes: * assert: * validate required arguments (Ruben Bridgewater) [#26641](#26641) * adjust loose assertions (Ruben Bridgewater) [#25008](#25008) * async_hooks: * remove deprecated `emitBefore` and `emitAfter` (Matteo Collina) [#26530](#26530) * remove promise object from resource (Andreas Madsen) [#23443](#23443) * bootstrap: make Buffer and process non-enumerable (Ruben Bridgewater) [#24874](#24874) * buffer: * use stricter range checks (Ruben Bridgewater) [#27045](#27045) * harden `SlowBuffer` creation (ZYSzys) [#26272](#26272) * harden validation of buffer allocation size (ZYSzys) [#26162](#26162) * do proper error propagation in addon methods (Anna Henningsen) [#23939](#23939) * child_process: * remove `options.customFds` (cjihrig) [#25279](#25279) * harden fork arguments validation (ZYSzys) [#27039](#27039) * use non-infinite `maxBuffer` defaults (kohta ito) [#23027](#23027) * console: * don't use ANSI escape codes when `TERM=dumb` (Vladislav Kaminsky) [#26261](#26261) * crypto: * remove legacy native handles (Tobias Nießen) [#27011](#27011) * decode missing passphrase errors (Tobias Nießen) [#25208](#25208) * remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()` (Tobias Nießen) [#26249](#26249) * remove deprecated `crypto._toBuf()` (Tobias Nießen) [#25338](#25338) * set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](#23222) * deps: * update V8 to 7.4.288.13 (Michaël Zasso, cjihrig, Refael Ackermann) (Anna Henningsen, Ujjwal Sharma) [#26685](#26685) * bump minimum icu version to 63 (Ujjwal Sharma) [#25852](#25852) * update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu) [#26327](#26327) * errors: * update error name (Ruben Bridgewater) [#26738](#26738) * fs: * use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](#26690) * improve mode validation (Ruben Bridgewater) [#26575](#26575) * harden validation of start option in `createWriteStream()` (ZYSzys) [#25579](#25579) * make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](#23709) * http: * validate timeout in `ClientRequest()` (cjihrig) [#26214](#26214) * return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still) [#25605](#25605) * switch default parser to llhttp (Anna Henningsen) [#24870](#24870) * Runtime-deprecate `outgoingMessage._headers` and `outgoingMessage._headerNames` (Morgan Roderick) [#24167](#24167) * lib: * remove `Atomics.wake()` (Gus Caplan) [#27033](#27033) * move DTRACE\_\* probes out of global scope (James M Snell) [#26541](#26541) * deprecate `_stream_wrap` (Sam Roberts) [#26245](#26245) * use ES6 class inheritance style (Ruben Bridgewater) [#24755](#24755) * module: * remove unintended access to deps/ (Anna Henningsen) [#25138](#25138) * improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](#25690) * requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](#25690) * remove dead code (Ruben Bridgewater) [#26983](#26983) * make `require('.')` never resolve outside the current directory (Ruben Bridgewater) [#26973](#26973) * throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](#26823) * don't search in `require.resolve.paths` (cjihrig) [#23683](#23683) * net: * remove `Server.listenFD()` (cjihrig) [#27127](#27127) * do not add `.host` and `.port` properties to DNS error (Ruben Bridgewater) [#26751](#26751) * emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](#24457) * deprecate `_setSimultaneousAccepts()` undocumented function (James M Snell) [#23760](#23760) * os: * implement `os.type()` using `uv_os_uname()` (cjihrig) [#25659](#25659) * remove `os.getNetworkInterfaces()` (cjihrig) [#25280](#25280) * process: * make global.process, global.Buffer getters (Guy Bedford) [#26882](#26882) * move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](#25828) * exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](#25828) * improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](#24965) * readline: * support TERM=dumb (Vladislav Kaminsky) [#26261](#26261) * repl: * add welcome message (gengjiawen) [#25947](#25947) * fix terminal default setting (Ruben Bridgewater) [#26518](#26518) * check colors with `.getColorDepth()` (Vladislav Kaminsky) [#26261](#26261) * deprecate REPLServer.rli (Ruben Bridgewater) [#26260](#26260) * src: * remove unused `INT_MAX` constant (Sam Roberts) [#27078](#27078) * update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma) [#26685](#26685) * remove `AddPromiseHook()` (Anna Henningsen) [#26574](#26574) * clean up `MultiIsolatePlatform` interface (Anna Henningsen) [#26384](#26384) * properly configure default heap limits (Ali Ijaz Sheikh) [#25576](#25576) * remove `icuDataDir` from node config (GauthamBanasandra) [#24780](#24780) * tls: * support TLSv1.3 (Sam Roberts) [#26209](#26209) * return correct version from `getCipher()` (Sam Roberts) [#26625](#26625) * check arg types of renegotiate() (Sam Roberts) [#25876](#25876) * add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts) [#24729](#24729) * emit a warning when servername is an IP address (Rodger Combs) [#23329](#23329) * disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](#23814) * remove unused arg to createSecureContext() (Sam Roberts) [#24241](#24241) * deprecate `Server.prototype.setOptions()` (cjihrig) [#23820](#23820) * load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong) [#23354](#23354) * util: * remove `util.print()`, `util.puts()`, `util.debug()` and `util.error()` (cjihrig) [#25377](#25377) * change inspect compact and breakLength default (Ruben Bridgewater) [#27109](#27109) * improve inspect edge cases (Ruben Bridgewater) [#27109](#27109) * only the first line of the error message (Simon Zünd) [#26685](#26685) * don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](#26893) * rename callbackified function (Ruben Bridgewater) [#26893](#26893) * increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](#26893) * prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](#26577) * prevent Proxy traps being triggered by `.inspect()` (Ruben Bridgewater) [#26241](#26241) * prevent leaking internal properties (Ruben Bridgewater) [#24971](#24971) * protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](#25953) * treat format arguments equally (Roman Reiss) [#23162](#23162) * win, fs: * detect if symlink target is a directory (Bartosz Sosnowski) [#23724](#23724) * zlib: * throw TypeError if callback is missing (Anna Henningsen) [#24929](#24929) * make “bare” constants un-enumerable (Anna Henningsen) [#24824](#24824) PR-URL: #26930
Notable changes: * assert: * validate required arguments (Ruben Bridgewater) [#26641](#26641) * adjust loose assertions (Ruben Bridgewater) [#25008](#25008) * async_hooks: * remove deprecated `emitBefore` and `emitAfter` (Matteo Collina) [#26530](#26530) * remove promise object from resource (Andreas Madsen) [#23443](#23443) * bootstrap: make Buffer and process non-enumerable (Ruben Bridgewater) [#24874](#24874) * buffer: * use stricter range checks (Ruben Bridgewater) [#27045](#27045) * harden `SlowBuffer` creation (ZYSzys) [#26272](#26272) * harden validation of buffer allocation size (ZYSzys) [#26162](#26162) * do proper error propagation in addon methods (Anna Henningsen) [#23939](#23939) * child_process: * remove `options.customFds` (cjihrig) [#25279](#25279) * harden fork arguments validation (ZYSzys) [#27039](#27039) * use non-infinite `maxBuffer` defaults (kohta ito) [#23027](#23027) * console: * don't use ANSI escape codes when `TERM=dumb` (Vladislav Kaminsky) [#26261](#26261) * crypto: * remove legacy native handles (Tobias Nießen) [#27011](#27011) * decode missing passphrase errors (Tobias Nießen) [#25208](#25208) * remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()` (Tobias Nießen) [#26249](#26249) * remove deprecated `crypto._toBuf()` (Tobias Nießen) [#25338](#25338) * set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](#23222) * deps: * update V8 to 7.4.288.13 (Michaël Zasso, cjihrig, Refael Ackermann) (Anna Henningsen, Ujjwal Sharma) [#26685](#26685) * bump minimum icu version to 63 (Ujjwal Sharma) [#25852](#25852) * update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu) [#26327](#26327) * errors: * update error name (Ruben Bridgewater) [#26738](#26738) * fs: * use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](#26690) * improve mode validation (Ruben Bridgewater) [#26575](#26575) * harden validation of start option in `createWriteStream()` (ZYSzys) [#25579](#25579) * make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](#23709) * http: * validate timeout in `ClientRequest()` (cjihrig) [#26214](#26214) * return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still) [#25605](#25605) * switch default parser to llhttp (Anna Henningsen) [#24870](#24870) * Runtime-deprecate `outgoingMessage._headers` and `outgoingMessage._headerNames` (Morgan Roderick) [#24167](#24167) * lib: * remove `Atomics.wake()` (Gus Caplan) [#27033](#27033) * move DTRACE\_\* probes out of global scope (James M Snell) [#26541](#26541) * deprecate `_stream_wrap` (Sam Roberts) [#26245](#26245) * use ES6 class inheritance style (Ruben Bridgewater) [#24755](#24755) * module: * remove unintended access to deps/ (Anna Henningsen) [#25138](#25138) * improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](#25690) * requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](#25690) * remove dead code (Ruben Bridgewater) [#26983](#26983) * make `require('.')` never resolve outside the current directory (Ruben Bridgewater) [#26973](#26973) * throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](#26823) * don't search in `require.resolve.paths` (cjihrig) [#23683](#23683) * net: * remove `Server.listenFD()` (cjihrig) [#27127](#27127) * do not add `.host` and `.port` properties to DNS error (Ruben Bridgewater) [#26751](#26751) * emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](#24457) * deprecate `_setSimultaneousAccepts()` undocumented function (James M Snell) [#23760](#23760) * os: * implement `os.type()` using `uv_os_uname()` (cjihrig) [#25659](#25659) * remove `os.getNetworkInterfaces()` (cjihrig) [#25280](#25280) * process: * make global.process, global.Buffer getters (Guy Bedford) [#26882](#26882) * move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](#25828) * exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](#25828) * improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](#24965) * readline: * support TERM=dumb (Vladislav Kaminsky) [#26261](#26261) * repl: * add welcome message (gengjiawen) [#25947](#25947) * fix terminal default setting (Ruben Bridgewater) [#26518](#26518) * check colors with `.getColorDepth()` (Vladislav Kaminsky) [#26261](#26261) * deprecate REPLServer.rli (Ruben Bridgewater) [#26260](#26260) * src: * remove unused `INT_MAX` constant (Sam Roberts) [#27078](#27078) * update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma) [#26685](#26685) * remove `AddPromiseHook()` (Anna Henningsen) [#26574](#26574) * clean up `MultiIsolatePlatform` interface (Anna Henningsen) [#26384](#26384) * properly configure default heap limits (Ali Ijaz Sheikh) [#25576](#25576) * remove `icuDataDir` from node config (GauthamBanasandra) [#24780](#24780) * tls: * support TLSv1.3 (Sam Roberts) [#26209](#26209) * return correct version from `getCipher()` (Sam Roberts) [#26625](#26625) * check arg types of renegotiate() (Sam Roberts) [#25876](#25876) * add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts) [#24729](#24729) * emit a warning when servername is an IP address (Rodger Combs) [#23329](#23329) * disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](#23814) * remove unused arg to createSecureContext() (Sam Roberts) [#24241](#24241) * deprecate `Server.prototype.setOptions()` (cjihrig) [#23820](#23820) * load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong) [#23354](#23354) * util: * remove `util.print()`, `util.puts()`, `util.debug()` and `util.error()` (cjihrig) [#25377](#25377) * change inspect compact and breakLength default (Ruben Bridgewater) [#27109](#27109) * improve inspect edge cases (Ruben Bridgewater) [#27109](#27109) * only the first line of the error message (Simon Zünd) [#26685](#26685) * don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](#26893) * rename callbackified function (Ruben Bridgewater) [#26893](#26893) * increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](#26893) * prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](#26577) * prevent Proxy traps being triggered by `.inspect()` (Ruben Bridgewater) [#26241](#26241) * prevent leaking internal properties (Ruben Bridgewater) [#24971](#24971) * protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](#25953) * treat format arguments equally (Roman Reiss) [#23162](#23162) * win, fs: * detect if symlink target is a directory (Bartosz Sosnowski) [#23724](#23724) * zlib: * throw TypeError if callback is missing (Anna Henningsen) [#24929](#24929) * make “bare” constants un-enumerable (Anna Henningsen) [#24824](#24824) PR-URL: #26930
Notable changes: * deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794) * src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093) * tls: * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951) * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951) * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951) * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951) * support TLSv1.3 (Sam Roberts) [#26209](#26209) * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729) PR-URL: #27314
Notable changes: * deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794) * src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093) * tls: * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951) * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951) * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951) * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951) * support TLSv1.3 (Sam Roberts) [#26209](#26209) * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729) PR-URL: #27314
@sam-github @BethGriggs |
I took a shot at it, https://github.com/sam-github/node/commits/tls1.3-v10.x, but it has so many deps that weren't backported it just exploded in difficulty, and I gave up. It isn't a priority for me, not now at least, and you are literally the only person who I have ever heard express any interest in TLS1.3 on 10.x... Maybe someone else who feels the drive will have to step and do the backport. @gauravmahto , perhaps you? |
@sam-github I would love to. But I'll definitely need the guidance related to where to start and through the process. Last time I tried building on my machine (Windows), it kinda worked but several tests started to fail. Maybe this is the perfect time for me to give it another shot. :) |
@sam-github I built and ran the tests. Looks like everything worked just fine. :) |
I don't have a lot to offer outside of https://github.com/nodejs/node/blob/master/doc/guides/contributing/pull-requests.md#the-process-of-making-changes and https://github.com/nodejs/node/blob/master/COLLABORATOR_GUIDE.md#how-are-lts-branches-managed Feel free to PR a branch containing whatever you think needs doing to v10.x-staging. Make sure it tests locally, and once it passes on travis, ask someone to start a full CI and see if it passes. |
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes