src,build: add --openssl-default-cipher-list

This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: https://github.com/nodejs/node/pull/33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
2024-11-21 21:19:50 +01:00 · 2020-06-03 12:56:58 +02:00 · 2020-06-03 12:56:58 +02:00 · 7f8e977ee0
commit 7f8e977ee0
parent 111d1e523d
4 changed files with 50 additions and 27 deletions
--- a/configure.py
+++ b/configure.py
@ -170,6 +170,11 @@ parser.add_option("--link-module",
         "e.g. /root/x/y.js will be referenced via require('root/x/y'). "
         "Can be used multiple times")

+parser.add_option('--openssl-default-cipher-list',
+    action='store',
+    dest='openssl_default_cipher_list',
+    help='Use the specified cipher list as the default cipher list')
+
 parser.add_option("--openssl-no-asm",
    action="store_true",
    dest="openssl_no_asm",
@ -1302,6 +1307,8 @@ def configure_openssl(o):
      without_ssl_error('--openssl-no-asm')
    if options.openssl_fips:
      without_ssl_error('--openssl-fips')
+    if options.openssl_default_cipher_list:
+      without_ssl_error('--openssl-default-cipher-list')
    return

  if options.use_openssl_ca_store:
@ -1311,6 +1318,9 @@ def configure_openssl(o):
  variables['node_without_node_options'] = b(options.without_node_options)
  if options.without_node_options:
      o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']
+  if options.openssl_default_cipher_list:
+    variables['openssl_default_cipher_list'] = \
+            options.openssl_default_cipher_list

  if not options.shared_openssl and not options.openssl_no_asm:
    is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch']
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@ -269,33 +269,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

 ## Modifying the Default TLS Cipher suite

-Node.js is built with a default suite of enabled and disabled TLS ciphers.
-Currently, the default cipher suite is:
+Node.js is built with a default suite of enabled and disabled TLS ciphers. This
+default cipher list can be configured when building Node.js to allow
+distributions to provide their own default list.

-```text
-TLS_AES_256_GCM_SHA384:
-TLS_CHACHA20_POLY1305_SHA256:
-TLS_AES_128_GCM_SHA256:
-ECDHE-RSA-AES128-GCM-SHA256:
-ECDHE-ECDSA-AES128-GCM-SHA256:
-ECDHE-RSA-AES256-GCM-SHA384:
-ECDHE-ECDSA-AES256-GCM-SHA384:
-DHE-RSA-AES128-GCM-SHA256:
-ECDHE-RSA-AES128-SHA256:
-DHE-RSA-AES128-SHA256:
-ECDHE-RSA-AES256-SHA384:
-DHE-RSA-AES256-SHA384:
-ECDHE-RSA-AES256-SHA256:
-DHE-RSA-AES256-SHA256:
-HIGH:
-!aNULL:
-!eNULL:
-!EXPORT:
-!DES:
-!RC4:
-!MD5:
-!PSK:
-!SRP:
+The following command can be used to show the default cipher suite:
+```console
+node -p crypto.constants.defaultCoreCipherList | tr ':' '\n'
+TLS_AES_256_GCM_SHA384
+TLS_CHACHA20_POLY1305_SHA256
+TLS_AES_128_GCM_SHA256
+ECDHE-RSA-AES128-GCM-SHA256
+ECDHE-ECDSA-AES128-GCM-SHA256
+ECDHE-RSA-AES256-GCM-SHA384
+ECDHE-ECDSA-AES256-GCM-SHA384
+DHE-RSA-AES128-GCM-SHA256
+ECDHE-RSA-AES128-SHA256
+DHE-RSA-AES128-SHA256
+ECDHE-RSA-AES256-SHA384
+DHE-RSA-AES256-SHA384
+ECDHE-RSA-AES256-SHA256
+DHE-RSA-AES256-SHA256
+HIGH
+!aNULL
+!eNULL
+!EXPORT
+!DES
+!RC4
+!MD5
+!PSK
+!SRP
 !CAMELLIA
 ```

--- a/node.gyp
+++ b/node.gyp
@ -748,6 +748,7 @@

      'variables': {
        'openssl_system_ca_path%': '',
+        'openssl_default_cipher_list%': '',
      },

      'defines': [
@ -764,6 +765,11 @@
      'msvs_disabled_warnings!': [4244],

      'conditions': [
+        [ 'openssl_default_cipher_list!=""', {
+          'defines': [
+            'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"'
+           ]
+        }],
        [ 'error_on_warn=="true"', {
          'cflags': ['-Werror'],
          'xcode_settings': {
--- a/src/node_constants.h
+++ b/src/node_constants.h
@ -41,6 +41,9 @@
 #define RSA_PSS_SALTLEN_AUTO -2
 #endif

+#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST)
+#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST
+#else
 // TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see:
 //   https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
 #define DEFAULT_CIPHER_LIST_CORE \
@ -68,7 +71,8 @@
                                 "!PSK:"                            \
                                 "!SRP:"                            \
                                 "!CAMELLIA"
-#endif
+#endif  // NODE_OPENSSL_DEFAULT_CIPHER_LIST
+#endif  // HAVE_OPENSSL

 namespace node {