mirror of
https://github.com/nodejs/node.git
synced 2024-12-01 16:10:02 +01:00
tls: set ecdhCurve default to 'auto'
For best out-of-the-box compatibility there should not be one default `ecdhCurve` for the tls client, OpenSSL should choose them automatically. See https://wiki.openssl.org/index.php/Manual:SSL_CTX_set1_curves(3) PR-URL: https://github.com/nodejs/node/pull/16853 Refs: https://github.com/nodejs/node/issues/16196 Refs: https://github.com/nodejs/node/issues/1495 Refs: https://github.com/nodejs/node/pull/15206 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit is contained in:
parent
04566d3698
commit
af78840b19
@ -1164,8 +1164,7 @@ added: v0.11.13
|
||||
-->
|
||||
|
||||
The default curve name to use for ECDH key agreement in a tls server. The
|
||||
default value is `'prime256v1'` (NIST P-256). Consult [RFC 4492] and
|
||||
[FIPS.186-4] for more details.
|
||||
default value is `'auto'`. See [`tls.createSecureContext()`] for further information.
|
||||
|
||||
|
||||
## Deprecated APIs
|
||||
@ -1296,13 +1295,11 @@ where `secure_socket` has the same API as `pair.cleartext`.
|
||||
[Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
|
||||
[DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
|
||||
[ECDHE]: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman
|
||||
[FIPS.186-4]: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
|
||||
[Forward secrecy]: https://en.wikipedia.org/wiki/Perfect_forward_secrecy
|
||||
[OCSP request]: https://en.wikipedia.org/wiki/OCSP_stapling
|
||||
[OpenSSL Options]: crypto.html#crypto_openssl_options
|
||||
[OpenSSL cipher list format documentation]: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT
|
||||
[Perfect Forward Secrecy]: #tls_perfect_forward_secrecy
|
||||
[RFC 4492]: https://www.rfc-editor.org/rfc/rfc4492.txt
|
||||
[SSL_CTX_set_timeout]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_timeout.html
|
||||
[SSL_METHODS]: https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS
|
||||
[Stream]: stream.html#stream_stream
|
||||
|
@ -45,7 +45,7 @@ exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;
|
||||
exports.DEFAULT_CIPHERS =
|
||||
process.binding('constants').crypto.defaultCipherList;
|
||||
|
||||
exports.DEFAULT_ECDH_CURVE = 'prime256v1';
|
||||
exports.DEFAULT_ECDH_CURVE = 'auto';
|
||||
|
||||
exports.getCiphers = internalUtil.cachedResult(
|
||||
() => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true)
|
||||
|
@ -80,7 +80,7 @@ function testDHE2048() {
|
||||
}
|
||||
|
||||
function testECDHE256() {
|
||||
test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512);
|
||||
test(256, 'ECDH', 'prime256v1', testECDHE512);
|
||||
ntests++;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user