Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build,src: remove sslv3 support #315

Merged
merged 1 commit into from Jan 13, 2015
Merged

build,src: remove sslv3 support #315

merged 1 commit into from Jan 13, 2015

Conversation

bnoordhuis
Copy link
Member

SSLv3 is susceptible to downgrade attacks. Provide secure defaults,
disable v3 protocol support entirely.

R=@indutny, /cc @iojs/tc

indutny
indutny reviewed Jan 13, 2015
View reviewed changes
test/parallel/test-tls-no-sslv23.js
// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are
// still accepted. They are OpenSSL's way of saying that all known protocols
// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.)
tls.createSecureContext({ secureProtocol: 'SSLv23_method' });
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

var methods = []; methods.forEach(...)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the explicitness. The url tests use (humongous!) arrays and when something breaks, it's always a pain to figure out what.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed with @bnoordhuis

@trevnorris
Copy link
Contributor

LGTM, but going to defer to @indutny

@bnoordhuis
build,src: remove sslv3 support
5165d71 
SSLv3 is susceptible to downgrade attacks.  Provide secure defaults,
disable v3 protocol support entirely.

PR-URL: nodejs#315
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
@indutny
Copy link
Member

indutny commented Jan 13, 2015

I'm fine with it, LGTM

@bnoordhuis bnoordhuis merged commit 5165d71 into nodejs:v1.x Jan 13, 2015
@bnoordhuis bnoordhuis deleted the remove-sslv3-support branch January 13, 2015 01:22
@Fishrock123 Fishrock123 mentioned this pull request May 5, 2015
Closed
@nodejs nodejs locked and limited conversation to collaborators Nov 6, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bnoordhuis @trevnorris @indutny