Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: Disable EXPORT and LOW ciphers in openssl for v0.12 #5712

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions deps/openssl/config/opensslconf.h
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@
# ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
# endif
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
# define OPENSSL_NO_WEAK_SSL_CIPHERS
# endif
#endif /* OPENSSL_DOING_MAKEDEPEND */

#ifndef OPENSSL_THREADS
Expand Down Expand Up @@ -112,6 +115,9 @@
# if defined(OPENSSL_NO_MDC2) && !defined(NO_MDC2)
# define NO_MDC2
# endif
# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
# define NO_WEAK_SSL_CIPHERS
# endif
#endif

/* crypto/opensslconf.h.in */
Expand Down
22 changes: 11 additions & 11 deletions test/simple/test-tls-honorcipherorder-secureOptions.js
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb)
secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA',
ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
secureOptions: secureOptions,
honorCipherOrder: !!honorCipherOrder
};
Expand Down Expand Up @@ -95,37 +95,37 @@ test1();

function test1() {
// Client has the preference of cipher suites by default
test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2);
test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2);
}

function test2() {
// Server has the preference of cipher suites where AES256-SHA is in
// the first.
test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3);
test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3);
}

function test3() {
// Server has the preference of cipher suites. RC4-SHA is given
// higher priority over DES-CBC-SHA among client cipher suites.
test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4);
// Server has the preference of cipher suites. AES256-SHA is given
// higher priority over RC4-SHA among client cipher suites.
test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4);
}

function test4() {
// As client has only one cipher, server has no choice in regardless
// of honorCipherOrder.
test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5);
test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5);
}

function test5() {
test(false,
'DES-CBC-SHA',
'DES-CBC-SHA',
'RC4-SHA',
'RC4-SHA',
process.binding('constants').SSL_OP_SINGLE_DH_USE, test6);
}

function test6() {
test(true,
'DES-CBC-SHA',
'DES-CBC-SHA',
'RC4-SHA',
'RC4-SHA',
process.binding('constants').SSL_OP_SINGLE_DH_USE);
}
23 changes: 8 additions & 15 deletions test/simple/test-tls-honorcipherorder.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,15 @@ var SSL_Method = 'TLSv1_method';
var localhost = '127.0.0.1';

process.on('exit', function() {
assert.equal(nconns, 6);
assert.equal(nconns, 5);
});

function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
var soptions = {
secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
ciphers: 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA',
honorCipherOrder: !!honorCipherOrder
};

Expand Down Expand Up @@ -75,31 +75,24 @@ function test1() {
}

function test2() {
// Server has the preference of cipher suites where DES-CBC-SHA is in
// Server has the preference of cipher suites where RC4-SHA is in
// the first.
test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3);
test(true, 'AES256-SHA:RC4-SHA', 'RC4-SHA', test3);
}

function test3() {
// Server has the preference of cipher suites. RC4-SHA is given
// higher priority over DES-CBC-SHA among client cipher suites.
test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4);
// Server has the preference of cipher suites. AES256-SHA is given
// higher priority over ECDHE-RSA-AES256-SHA among client cipher suites.
test(true, 'ECDHE-RSA-AES256-SHA:AES256-SHA', 'AES256-SHA', test4);
}

function test4() {
// As client has only one cipher, server has no choice in regardless
// of honorCipherOrder.
test(true, 'RC4-SHA', 'RC4-SHA', test5);
test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', test5);
}

function test5() {
// Client did not explicitly set ciphers. Ensure that client defaults to
// sane ciphers. Even though server gives top priority to DES-CBC-SHA
// it should not be negotiated because it's not in default client ciphers.
test(true, null, 'AES256-SHA', test6);
}

function test6() {
// Ensure that `tls.DEFAULT_CIPHERS` is used
SSL_Method = 'TLSv1_2_method';
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';
Expand Down