This introduces TLS1.3 support and makes it the default max protocol,
but also supports CLI/NODE_OPTIONS switches to disable it if necessary.
TLS1.3 is a major update to the TLS protocol, with many security
enhancements. It should be preferred over TLS1.2 whenever possible.
TLS1.3 is different enough that even though the OpenSSL APIs are
technically API/ABI compatible, that when TLS1.3 is negotiated, the
timing of protocol records and of callbacks broke assumptions hard-coded
into the 'tls' module.
This change introduces no API incompatibilities when TLS1.2 is
negotiated. It is the intention that it be backported to current and LTS
release lines with the default maximum TLS protocol reset to 'TLSv1.2'.
This will allow users of those lines to explicitly enable TLS1.3 if they
want.
API incompatibilities between TLS1.2 and TLS1.3 are:
- Renegotiation is not supported by TLS1.3 protocol, attempts to call
`.renegotiate()` will always fail.
- Compiling against a system OpenSSL lower than 1.1.1 is no longer
supported (OpenSSL-1.1.0 used to be supported with configure flags).
- Variations of `conn.write('data'); conn.destroy()` have undefined
behaviour according to the streams API. They may or may not send the
'data', and may or may not cause a ERR_STREAM_DESTROYED error to be
emitted. This has always been true, but conditions under which the write
suceeds is slightly but observably different when TLS1.3 is negotiated
vs when TLS1.2 or below is negotiated.
- If TLS1.3 is negotiated, and a server calls `conn.end()` in its
'secureConnection' listener without any data being written, the client
will not receive session tickets (no 'session' events will be emitted,
and `conn.getSession()` will never return a resumable session).
- The return value of `conn.getSession()` API may not return a resumable
session if called right after the handshake. The effect will be that
clients using the legacy `getSession()` API will resume sessions if
TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is
negotiated. See https://github.com/nodejs/node/pull/25831 for more
information.
PR-URL: https://github.com/nodejs/node/pull/26209
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
When `timers.refresh()` is called inside a callback, the timer would
incorrectly end up unrefed and thus not keep the event loop alive.
PR-URL: https://github.com/nodejs/node/pull/26721
Fixes: https://github.com/nodejs/node/issues/26642
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: https://github.com/nodejs/node/pull/26708
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The How Does LTS Work section duplicates material in the release plan,
to which there is already a link in the doc. Unfortunately, it has gone
out of sync with the release plan, resulting in incorrect material being
in the Collaborator Guide. (The Release WG needs to approve certain
changes, not LTS WG as the guide currently says. It used to be the LTS
WG, but that changed.)
Instead of duplicating material in the Collaborator Guide and risking
that the two documents contradict each other again, instruct the reader
to refer to the release plan as the canonical source of information.
PR-URL: https://github.com/nodejs/node/pull/26723
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Edit and condense the "What is LTS?" section of the Collaboroator Guide.
PR-URL: https://github.com/nodejs/node/pull/26722
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
reset `ELDHistogram.prev_` before staring timer to ensure that start
timer doesn't leak across `disable()` `enable()` calls.
PR-URL: https://github.com/nodejs/node/pull/26693
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
`error` event on each kind of stream is optionally emitted when
`.destroy()` method is called. It depends on `._destroy()`
implementation. In default implementation this event will no be
fired unless `error` parameter has been provided.
It was already mentioned for `writable.destroy([error])`, so I
just copied same sentence for the other streams.
PR-URL: https://github.com/nodejs/node/pull/26589
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This adds support to enforce a specific color depth by checking the
`FORCE_COLOR` environment variable similar to `chalk`.
On top of that we also add support for the `NO_COLOR` environment
variable as suggested by https://no-color.org/.
PR-URL: https://github.com/nodejs/node/pull/26485
Refs: https://github.com/nodejs/node/pull/26248
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: https://github.com/nodejs/node/pull/26753
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Treat `_third_party_main` like any other CJS entry point, as it
was done before 6967f91368.
PR-URL: https://github.com/nodejs/node/pull/26677
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Remove XXX, there has been an EC specific cert property since
https://github.com/nodejs/node/pull/24358
PR-URL: https://github.com/nodejs/node/pull/26598
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Instead of patching process._breakFirstLine to inform the JS land
to wait for the debugger, check that the JS land has not yet
serialized the options and then patch the debug options from C++.
The changes will be carried into JS later during option serialization.
PR-URL: https://github.com/nodejs/node/pull/26602
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Set the trace category update handler during bootstrap, but delay
the initial invocation of it until pre-execution. In addition, do
not serialize the `node.async_hooks` category state when loading
the trace_event binding during bootstrap, since it depends on
run time states (e.g. CLI flags). Instead, use the
`isTraceCategoryEnabled` v8 intrinsics to query that value during
pre-execution.
PR-URL: https://github.com/nodejs/node/pull/26605
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
- Add descriptions
- Filter out the relevant traces for testing, ignore the irrelevant
ones.
PR-URL: https://github.com/nodejs/node/pull/26605
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This patch:
- Moves the timer callback initialization into bootstrap/node.js,
documents when they will be called, and make the dependency on
process._tickCallback explicit.
- Moves the initialization of tick callbacks and timer callbacks
to the end of the bootstrap to make sure the operations
done before those initializations are synchronous.
- Moves more internals into internal/timers.js from timers.js.
PR-URL: https://github.com/nodejs/node/pull/26583
Refs: https://github.com/nodejs/node/issues/26546
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This patch removes `NativeModule.require` and
`NativeModule.requireWithFallbackInDeps`. The public loaders now
have to use a special method
`NativeModule.prototype.compileForPublicLoader()` to compile native
modules. In addition this patch moves the decisions of proxifying
exports and throwing unknown builtin errors entirely to public
loaders, and skip those during internal use - therefore `loaders.js`,
which is compiled during bootstrap, no longer needs to be aware of
the value of `--experimental-modules`.
PR-URL: https://github.com/nodejs/node/pull/26549
Reviewed-By: James M Snell <jasnell@gmail.com>
The object returned by `child_process.spawnSync()` can have the `status`
property set to `null` if the process terminated due to a signal. We
even test for this in
test/parallel/test-child-process-spawnsync-kill-signal.js.
Update the documentation to reflect this.
PR-URL: https://github.com/nodejs/node/pull/26680
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Notable changes:
- `statx()` is used to retrieve file birth times on
supported platforms.
- Improved support of running under Windows safe mode.
- Add support for UDP connected sockets. Several functions
can now return `UV_EBADF` instead of `UV_EINVAL`.
- SunOS support is improved.
PR-URL: https://github.com/nodejs/node/pull/26707
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Starting in libuv 1.27.0, test-dgram-address.js should expect
EBADF instead of EINVAL.
PR-URL: https://github.com/nodejs/node/pull/26707
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove the internal testing utility and use the public API instead.
PR-URL: https://github.com/nodejs/node/pull/26671
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
So far this test did not verify that the call did indeed fail since
the error case was not checked. This makes sure the error is indeed
thrown as expected.
PR-URL: https://github.com/nodejs/node/pull/26660
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
AsyncResource.emitBefore and AsyncResource.emitAfter have been
deprecated in https://github.com/nodejs/node/pull/18632. This PR removes
it all.
This commit also updates some embedder tests to use internal APIs.
The conditions are still possible for Node.js core developers but not
for end users.
PR-URL: https://github.com/nodejs/node/pull/26530
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Benedikt Meurer <benedikt.meurer@gmail.com>
Reviewed-By: Yang Guo <yangguo@chromium.org>
Reviewed-By: Andreas Madsen <amwebdk@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Rejoice, the code base is now free of manual EVP_PKEY_free() calls!
PR-URL: https://github.com/nodejs/node/pull/26632
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
OpenSSL 1.0.0 returned incorrect version information. OpenSSL 1.1.0
fixed this, but returning the correct information broke our tests, so
was considered semver-major. Because of this, the version was hard-coded
to the OpenSSL 1.0.0 (incorrect) string in 5fe81c8aff.
This is ancient history, start returning the correct cipher version.
PR-URL: https://github.com/nodejs/node/pull/26625
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Edit the guildelines for force-pushing in Collaborator Guide. There are
no policy changes, but the material is simplified a bit and the
sentences are now shorter.
PR-URL: https://github.com/nodejs/node/pull/26699
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update lint-md.js to lint for "RFC1234" and similar variants that should
be written as "RFC 1234".
PR-URL: https://github.com/nodejs/node/pull/26727
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Use "RFC 1234" instead of "rfc1234", "RFC1234" or similar variants.
PR-URL: https://github.com/nodejs/node/pull/26727
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Remove inclusion of headers that are no longer required.
PR-URL: https://github.com/nodejs/node/pull/26697
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Original commit message:
Correct removal of redundant moves
The logic for removing while iterating is non-standard and
a left over from a previous index based loop. This patch
replaces it with a standard erase based version.
This fixes a runtime crash with MSVC that invalidates the
iterator and then asserts. This also makes the code safe
in case the last move can be redundant.
Change-Id: Ie6990e0d65a3b83a4b7da3e2e89ed4e60a6cd215
Reviewed-on: https://chromium-review.googlesource.com/c/1488762
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59868}
Refs: 385aa80aff
PR-URL: https://github.com/nodejs/node/pull/26702
Fixes: https://github.com/nodejs/node/issues/26694
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
