From a41cc6fa20d4f4bd7b95b97d6ae085cb5a7ad768 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 3 Jun 2020 12:56:58 +0200 Subject: [PATCH 1/4] src,build: add --openssl-default-cipher-list This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ --- configure.py | 8 ++++++++ node.gyp | 6 ++++++ src/node_constants.h | 6 +++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/configure.py b/configure.py index 285dfb22504dfa..b07d6424fa11e6 100755 --- a/configure.py +++ b/configure.py @@ -170,6 +170,11 @@ "e.g. /root/x/y.js will be referenced via require('root/x/y'). " "Can be used multiple times") +parser.add_option('--openssl-default-cipher-list', + action='store', + dest='openssl_default_cipher_list', + help='Use the specified cipher list as the default cipher list') + parser.add_option("--openssl-no-asm", action="store_true", dest="openssl_no_asm", @@ -1311,6 +1316,9 @@ def without_ssl_error(option): variables['node_without_node_options'] = b(options.without_node_options) if options.without_node_options: o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS'] + if options.openssl_default_cipher_list: + variables['openssl_default_cipher_list'] = \ + options.openssl_default_cipher_list if not options.shared_openssl and not options.openssl_no_asm: is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch'] diff --git a/node.gyp b/node.gyp index a5b95f428d450f..06e22883a596d7 100644 --- a/node.gyp +++ b/node.gyp @@ -747,6 +747,7 @@ 'variables': { 'openssl_system_ca_path%': '', + 'openssl_default_cipher_list%': '', }, 'defines': [ @@ -763,6 +764,11 @@ 'msvs_disabled_warnings!': [4244], 'conditions': [ + [ 'openssl_default_cipher_list!=""', { + 'defines': [ + 'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"' + ] + }], [ 'error_on_warn=="true"', { 'cflags': ['-Werror'], 'xcode_settings': { diff --git a/src/node_constants.h b/src/node_constants.h index af5aa002eb5795..d7de705fb8ec7e 100644 --- a/src/node_constants.h +++ b/src/node_constants.h @@ -41,6 +41,9 @@ #define RSA_PSS_SALTLEN_AUTO -2 #endif +#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST) +#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST +#else // TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see: // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html #define DEFAULT_CIPHER_LIST_CORE \ @@ -68,7 +71,8 @@ "!PSK:" \ "!SRP:" \ "!CAMELLIA" -#endif +#endif // NODE_OPENSSL_DEFAULT_CIPHER_LIST +#endif // HAVE_OPENSSL namespace node { From ecc07878e0d918bccbb55b62bc6922d1d3f57323 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Thu, 4 Jun 2020 06:00:53 +0200 Subject: [PATCH 2/4] squash: add openssl-default-cipher-list to without_ssl check This commit adds this option to the without_ssl so that when used with the --without-ssl option the following configuration error will be displayed: Node.js configure: Found Python 3.8.2... ERROR: --without-ssl is incompatible with --openssl-default-cipher-list --- configure.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure.py b/configure.py index b07d6424fa11e6..87d99f75be6573 100755 --- a/configure.py +++ b/configure.py @@ -1307,6 +1307,8 @@ def without_ssl_error(option): without_ssl_error('--openssl-no-asm') if options.openssl_fips: without_ssl_error('--openssl-fips') + if options.openssl_default_cipher_list: + without_ssl_error('--openssl-default-cipher-list') return if options.use_openssl_ca_store: From 66815e9ba230a2bada32add98efc22cc36b359fe Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Thu, 4 Jun 2020 06:26:20 +0200 Subject: [PATCH 3/4] squash: add note about displaying the def cipher suite --- doc/api/tls.md | 55 ++++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index bfebf5cc2693dc..4019b7de401d78 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -269,33 +269,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 ## Modifying the Default TLS Cipher suite -Node.js is built with a default suite of enabled and disabled TLS ciphers. -Currently, the default cipher suite is: +Node.js is built with a default suite of enabled and disabled TLS ciphers. This +default cipher list can be configured when building Node.js to allow +distributions to provide their own default list. -```text -TLS_AES_256_GCM_SHA384: -TLS_CHACHA20_POLY1305_SHA256: -TLS_AES_128_GCM_SHA256: -ECDHE-RSA-AES128-GCM-SHA256: -ECDHE-ECDSA-AES128-GCM-SHA256: -ECDHE-RSA-AES256-GCM-SHA384: -ECDHE-ECDSA-AES256-GCM-SHA384: -DHE-RSA-AES128-GCM-SHA256: -ECDHE-RSA-AES128-SHA256: -DHE-RSA-AES128-SHA256: -ECDHE-RSA-AES256-SHA384: -DHE-RSA-AES256-SHA384: -ECDHE-RSA-AES256-SHA256: -DHE-RSA-AES256-SHA256: -HIGH: -!aNULL: -!eNULL: -!EXPORT: -!DES: -!RC4: -!MD5: -!PSK: -!SRP: +The following command can be used to show the default cipher suite: +```console +node -p "require('crypto').constants.defaultCoreCipherList" | tr ':' '\n' +TLS_AES_256_GCM_SHA384 +TLS_CHACHA20_POLY1305_SHA256 +TLS_AES_128_GCM_SHA256 +ECDHE-RSA-AES128-GCM-SHA256 +ECDHE-ECDSA-AES128-GCM-SHA256 +ECDHE-RSA-AES256-GCM-SHA384 +ECDHE-ECDSA-AES256-GCM-SHA384 +DHE-RSA-AES128-GCM-SHA256 +ECDHE-RSA-AES128-SHA256 +DHE-RSA-AES128-SHA256 +ECDHE-RSA-AES256-SHA384 +DHE-RSA-AES256-SHA384 +ECDHE-RSA-AES256-SHA256 +DHE-RSA-AES256-SHA256 +HIGH +!aNULL +!eNULL +!EXPORT +!DES +!RC4 +!MD5 +!PSK +!SRP !CAMELLIA ``` From fbc15011bf4443325336e86e2f29c6db8fcec2b4 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Thu, 4 Jun 2020 10:47:00 +0200 Subject: [PATCH 4/4] squash: simplify command to show ciphers --- doc/api/tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 4019b7de401d78..341460a171c18d 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -275,7 +275,7 @@ distributions to provide their own default list. The following command can be used to show the default cipher suite: ```console -node -p "require('crypto').constants.defaultCoreCipherList" | tr ':' '\n' +node -p crypto.constants.defaultCoreCipherList | tr ':' '\n' TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256