Skip to content
This repository was archived by the owner on Apr 22, 2023. It is now read-only.

Commit 1349b68

Browse files
indutnytjfontaine
indutny
authored and
tjfontaine
committed
crypto: allow forcing SSLv2/v3 via secureProtocol
Force-enable SSLv2/v3 when `secureProtocol` is explicitly set to `SSLv2_method` or `SSLv3_method`. see discussion at #8551
1 parent 6c8593d commit 1349b68

7 files changed

+21
-251
lines changed

doc/api/tls.markdown

+13-9
Original file line numberDiff line numberDiff line change
@@ -48,15 +48,19 @@ If you wish to enable SSLv2 or SSLv3, run node with the `--enable-ssl2` or
4848
`--enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
4949
SSLv3 will not be compiled in by default.
5050

51-
This means that without having one or both of those flags set on the command
52-
line, Node.js will **throw** if you explicitly set the `secureProtocol` to
53-
`SSLv3_method` or similar. However the default protocol method Node.js uses is
54-
`SSLv23_method` which would be more accurately named `AutoNegotiate_method`.
55-
This method will try and negotiate from the highest level down to whatever the
56-
client supports. To provide a secure default, Node.js (since v0.10.33)
57-
explicitly disables the use of SSLv3 and SSLv2 by setting the `secureOptions`
58-
to be `SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
59-
`--enable-ssl3` or `--enable-ssl2`).
51+
There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
52+
specifying `secureProtocol` to `'SSLv3_method'` or `'SSLv2_method'`.
53+
54+
The default protocol method Node.js uses is `SSLv23_method` which would be more
55+
accurately named `AutoNegotiate_method`. This method will try and negotiate
56+
from the highest level down to whatever the client supports. To provide a
57+
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
58+
and SSLv2 by setting the `secureOptions` to be
59+
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
60+
`--enable-ssl3`, or `--enable-ssl2`, or `SSLv3_method` as `secureProtocol`).
61+
62+
If you have set `securityOptions` to anything, we will not override your
63+
options.
6064

6165
The ramifications of this behavior change:
6266

lib/crypto.js

+8-2
Original file line numberDiff line numberDiff line change
@@ -92,8 +92,14 @@ function Credentials(secureProtocol, flags, context) {
9292
CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2;
9393
}
9494

95-
if (flags === undefined)
96-
flags = CONTEXT_DEFAULT_OPTIONS;
95+
if (flags === undefined) {
96+
if (secureProtocol === undefined ||
97+
secureProtocol === 'SSLv23_method' ||
98+
secureProtocol === 'SSLv23_server_method' ||
99+
secureProtocol === 'SSLv23_client_method') {
100+
flags |= CONTEXT_DEFAULT_OPTIONS;
101+
}
102+
}
97103

98104
this.context.setOptions(flags);
99105
}

src/node_crypto.cc

-24
Original file line numberDiff line numberDiff line change
@@ -238,24 +238,6 @@ Handle<Value> SecureContext::New(const Arguments& args) {
238238
}
239239

240240

241-
bool MaybeThrowSSL3() {
242-
if (!SSL3_ENABLE) {
243-
ThrowException(Exception::Error(String::New("SSLv3 is considered unsafe, see node --help")));
244-
return true;
245-
} else {
246-
return false;
247-
}
248-
}
249-
250-
bool MaybeThrowSSL2() {
251-
if (!SSL2_ENABLE) {
252-
ThrowException(Exception::Error(String::New("SSLv2 is considered unsafe, see node --help")));
253-
return true;
254-
} else {
255-
return false;
256-
}
257-
}
258-
259241
Handle<Value> SecureContext::Init(const Arguments& args) {
260242
HandleScope scope;
261243

@@ -268,42 +250,36 @@ Handle<Value> SecureContext::Init(const Arguments& args) {
268250

269251
if (strcmp(*sslmethod, "SSLv2_method") == 0) {
270252
#ifndef OPENSSL_NO_SSL2
271-
if (MaybeThrowSSL2()) return Undefined();
272253
method = SSLv2_method();
273254
#else
274255
return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
275256
#endif
276257
} else if (strcmp(*sslmethod, "SSLv2_server_method") == 0) {
277258
#ifndef OPENSSL_NO_SSL2
278-
if (MaybeThrowSSL2()) return Undefined();
279259
method = SSLv2_server_method();
280260
#else
281261
return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
282262
#endif
283263
} else if (strcmp(*sslmethod, "SSLv2_client_method") == 0) {
284264
#ifndef OPENSSL_NO_SSL2
285-
if (MaybeThrowSSL2()) return Undefined();
286265
method = SSLv2_client_method();
287266
#else
288267
return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
289268
#endif
290269
} else if (strcmp(*sslmethod, "SSLv3_method") == 0) {
291270
#ifndef OPENSSL_NO_SSL3
292-
if (MaybeThrowSSL3()) return Undefined();
293271
method = SSLv3_method();
294272
#else
295273
return ThrowException(Exception::Error(String::New("SSLv3 methods disabled")));
296274
#endif
297275
} else if (strcmp(*sslmethod, "SSLv3_server_method") == 0) {
298276
#ifndef OPENSSL_NO_SSL3
299-
if (MaybeThrowSSL3()) return Undefined();
300277
method = SSLv3_server_method();
301278
#else
302279
return ThrowException(Exception::Error(String::New("SSLv3 methods disabled")));
303280
#endif
304281
} else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) {
305282
#ifndef OPENSSL_NO_SSL3
306-
if (MaybeThrowSSL3()) return Undefined();
307283
method = SSLv3_client_method();
308284
#else
309285
return ThrowException(Exception::Error(String::New("SSLv3 methods disabled")));

test/simple/test-tls-disable-ssl2.js

-53
This file was deleted.

test/simple/test-tls-disable-ssl3.js

-53
This file was deleted.

test/simple/test-tls-enable-ssl2.js

-55
This file was deleted.

test/simple/test-tls-enable-ssl3.js

-55
This file was deleted.

0 commit comments

Comments
 (0)