-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src,build: add --openssl-default-cipher-list #33708
Conversation
This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
Perhaps it would be a good idea to add a note to the I'm kind of surprised we don't already mention these |
How does this relate to the existing |
Good point, I'll add something in that document. Thanks |
Using the command-line option or the NODE_OPTIONS environment variable allows the cipher list to be overridden at runtime. The would be something the a user actively does, whereas being able to set the default cipher list at build time will allow distributions to have their own default list and the users can opt out of if they need to. |
This commit adds this option to the without_ssl so that when used with the --without-ssl option the following configuration error will be displayed: Node.js configure: Found Python 3.8.2... ERROR: --without-ssl is incompatible with --openssl-default-cipher-list
Re-run of failing node-test-commit-linux-containered/ ✔️ |
This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: #33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Landed in 7f8e977. |
This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: #33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: #33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: #33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: #33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Just a question about setting the default ciphers to |
This commit adds a configuration option named
openssl-default-cipher-list
which takes a colon separated stringspecifying ciphers that should be used as the default ciphers instead of
the ones defined in node_constants.
The motivation for this is a use case where Fedora/RHEL would like
to be able to specify a default cipher in the format PROFILE=SYSTEM.
This would enable Fedora/RHEL to have a system wide security level for
all applications.
Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes