delta/node-new.git/lib/https.js, branch pull-request-doc-updates github.com: nodejs/node.git tls: introduce client 'session' event 2019-02-02T03:06:58+00:00 Sam Roberts vieuxtech@gmail.com 2019-01-30T20:18:04+00:00 0f8e8f7c6b9e7a8bdae53c831f37b2034d1c9fa7 OpenSSL has supported async notification of sessions and tickets since 1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using the async API is optional for TLS1.2 and below, but for TLS1.3 it will be mandatory. Future-proof applications should start to use async notification immediately. In the future, for TLS1.3, applications that don't use the async API will silently, but gracefully, fail to resume sessions and instead do a full handshake. See: https://wiki.openssl.org/index.php/TLS1.3#Sessions PR-URL: https://github.com/nodejs/node/pull/25831 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> 
OpenSSL has supported async notification of sessions and tickets since
1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using
the async API is optional for TLS1.2 and below, but for TLS1.3 it will
be mandatory. Future-proof applications should start to use async
notification immediately. In the future, for TLS1.3, applications that
don't use the async API will silently, but gracefully, fail to resume
sessions and instead do a full handshake.

See: https://wiki.openssl.org/index.php/TLS1.3#Sessions

PR-URL: https://github.com/nodejs/node/pull/25831
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
lib: support overriding http\s.globalAgent 2019-01-07T23:10:36+00:00 Roy Sommer roy@sommer.co.il 2018-12-21T18:17:15+00:00 5774688e2614ccb89749ea2f523014c6479616aa Overriding `require('http[s]').globalAgent` is now respected by consequent requests. In order to achieve that, the following changes were made: 1. Implmentation in `http`: `module.exports.globalAgent` is now defined through `Object.defineProperty`. Its getter and setter return \ set `require('_http_agent').globalAgent`. 2. Implementation in `https`: the https `globalAgent` is not the same as `_http_agent`, and is defined in `https` module itself. Therefore, the fix here was to simply use `module.exports.globalAgent` to support mutation. 3. According tests were added for both `http` and `https`, where in both we create a server, set the default agent to a newly created instance and make a request to that server. We then assert that the given instance was actually used by inspecting its sockets property. Fixes: https://github.com/nodejs/node/issues/23281 PR-URL: https://github.com/nodejs/node/pull/25170 Reviewed-By: James M Snell <jasnell@gmail.com> 
Overriding `require('http[s]').globalAgent` is now respected by
consequent requests.

In order to achieve that, the following changes were made:

1. Implmentation in `http`: `module.exports.globalAgent` is now defined
through `Object.defineProperty`. Its getter and setter return \ set
`require('_http_agent').globalAgent`.

2. Implementation in `https`: the https `globalAgent` is not the same
as `_http_agent`, and is defined in `https` module itself. Therefore,
the fix here was to simply use `module.exports.globalAgent` to support
mutation.

3. According tests were added for both `http` and `https`, where in
both we create a server, set the default agent to a newly created
instance and make a request to that server. We then assert that the
given instance was actually used by inspecting its sockets property.

Fixes: https://github.com/nodejs/node/issues/23281

PR-URL: https://github.com/nodejs/node/pull/25170
Reviewed-By: James M Snell <jasnell@gmail.com>
lib: remove internal `util._extends()` usage 2018-12-20T12:52:44+00:00 Ruben Bridgewater ruben@bridgewater.de 2018-12-18T02:15:57+00:00 d4c91f28148af8a6c1a95392e5c88cb93d4b61c6 This removes all internal calls to the deprecated `_extends()` function. It is slower than `Object.assign()` and the object spread notation since V8 6.8 and using the spread notation often also results in shorter code. PR-URL: https://github.com/nodejs/node/pull/25105 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 
This removes all internal calls to the deprecated `_extends()`
function. It is slower than `Object.assign()` and the object spread
notation since V8 6.8 and using the spread notation often also
results in shorter code.

PR-URL: https://github.com/nodejs/node/pull/25105
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
lib: use ES6 class inheritance style 2018-12-05T15:55:00+00:00 Ruben Bridgewater ruben@bridgewater.de 2018-12-02T14:03:01+00:00 59257543c3db6f9ca01a91b75855934c2a913065 PR-URL: https://github.com/nodejs/node/pull/24755 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> 
PR-URL: https://github.com/nodejs/node/pull/24755
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
lib: remove `inherits()` usage 2018-12-05T15:53:58+00:00 Ruben Bridgewater ruben@bridgewater.de 2018-11-30T16:55:48+00:00 dcc82b37b631d636e0fefc8272c357ec4a7d6df2 This switches all `util.inherits()` calls to use `Object.setPrototypeOf()` instead. In fact, `util.inherits()` is mainly a small wrapper around exactly this function while adding the `_super` property on the object as well. Refs: #24395 PR-URL: https://github.com/nodejs/node/pull/24755 Refs: https://github.com/nodejs/node/issues/24395 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> 
This switches all `util.inherits()` calls to use
`Object.setPrototypeOf()` instead. In fact, `util.inherits()` is
mainly a small wrapper around exactly this function while adding
the `_super` property on the object as well.

Refs: #24395

PR-URL: https://github.com/nodejs/node/pull/24755
Refs: https://github.com/nodejs/node/issues/24395
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
http,https: protect against slow headers attack 2018-11-28T00:36:34+00:00 Matteo Collina hello@matteocollina.com 2018-08-23T14:46:07+00:00 ee618a7ab239c98d945c723a4e225bc409151736 CVE-2018-12122 An attacker can send a char/s within headers and exahust the resources (file descriptors) of a system even with a tight max header length protection. This PR destroys a socket if it has not received the headers in 40s. PR-URL: https://github.com/nodejs-private/node-private/pull/144 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> 
CVE-2018-12122

An attacker can send a char/s within headers and exahust the resources
(file descriptors) of a system even with a tight max header length
protection. This PR destroys a socket if it has not received the headers
in 40s.

PR-URL: https://github.com/nodejs-private/node-private/pull/144
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
tls: add min/max protocol version options 2018-11-22T17:14:58+00:00 Sam Roberts vieuxtech@gmail.com 2018-05-06T04:52:34+00:00 f512f5ea138fe86e47c0179d5733044daf6f4fe6 The existing secureProtocol option only allows setting the allowed protocol to a specific version, or setting it to "all supported versions". It also used obscure strings based on OpenSSL C API functions. Directly setting the min or max is easier to use and explain. PR-URL: https://github.com/nodejs/node/pull/24405 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.

PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
https: allow url and options to be passed to https.request 2018-08-01T05:53:25+00:00 Sam Ruby rubys@intertwingly.net 2018-07-29T05:00:28+00:00 19aa41c6fc92408fa078d3a10d780a599f7bca01 PR-URL: https://github.com/nodejs/node/pull/22003 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
PR-URL: https://github.com/nodejs/node/pull/22003
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
lib,src: remove openssl feature conditionals 2018-06-07T22:53:37+00:00 Ben Noordhuis info@bnoordhuis.nl 2018-06-02T08:52:59+00:00 a76f0298184115971bac56dd369418786569f76d Remove compile-time and run-time conditionals for features that OpenSSL 1.0.0 and 1.0.1 didn't support: ALPN, OCSP and/or SNI. They are no longer necessary since our baseline is OpenSSL 1.0.2. PR-URL: https://github.com/nodejs/node/pull/21094 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 
Remove compile-time and run-time conditionals for features that
OpenSSL 1.0.0 and 1.0.1 didn't support: ALPN, OCSP and/or SNI.
They are no longer necessary since our baseline is OpenSSL 1.0.2.

PR-URL: https://github.com/nodejs/node/pull/21094
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
https: removed extra _http_server require 2018-06-06T01:57:39+00:00 ErnestoSalazar ernestoalbertosalazar@gmail.com 2018-05-31T21:26:31+00:00 5ebdce277e9673dca7ec105cdca889abfa30f3b7 PR-URL: https://github.com/nodejs/node/pull/21069 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Kyle Farnung <kfarnung@microsoft.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Jon Moss <me@jonathanmoss.me> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 
PR-URL: https://github.com/nodejs/node/pull/21069
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Kyle Farnung <kfarnung@microsoft.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>