delta/node.git/src/node_crypto.h, branch v0.10 github.com: joyent/node.git tls: revert disable RC4 and cipher lists changes 2015-06-19T05:37:10+00:00 Julien Gilli julien.gilli@joyent.com 2015-06-11T21:32:48+00:00 dcb7ef2e4024bbb984c5d40b692fb5ec6aefa008 This reverts commit 67d9a56251c4491beacb666ba5833574d0cf0d12. This commit actually reverts both 67d9a56251c4491beacb666ba5833574d0cf0d12 and 02a549ed2b2afe85d8ff0335b6684ad54023afb7 (both related to ciphers list changes). It does it in one commit because reverting 02a549ed2b2afe85d8ff0335b6684ad54023afb7 results in an empty commit. These changes are not yet ready to be released, and before they are we want to be able to publish new releases. We're reverting them so that we can submit a new PR that will contain all these changes plus what's necessary to be able to land them properly. Conflicts: src/node.cc PR: #25511 PR-URL: https://github.com/joyent/node/pull/25511 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 
This reverts commit 67d9a56251c4491beacb666ba5833574d0cf0d12.

This commit actually reverts both
67d9a56251c4491beacb666ba5833574d0cf0d12 and
02a549ed2b2afe85d8ff0335b6684ad54023afb7 (both related to ciphers list
changes). It does it in one commit because reverting
02a549ed2b2afe85d8ff0335b6684ad54023afb7 results in an empty commit.

These changes are not yet ready to be released, and before they are we
want to be able to publish new releases. We're reverting them so that we
can submit a new PR that will contain all these changes plus what's
necessary to be able to land them properly.

Conflicts:
	src/node.cc

PR: #25511
PR-URL: https://github.com/joyent/node/pull/25511
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
tls: disable RC4, add --cipher-list command line switch 2015-04-08T19:00:18+00:00 James M Snell jasnell@gmail.com 2015-04-02T22:16:40+00:00 67d9a56251c4491beacb666ba5833574d0cf0d12 Disable RC4 in the default cipher list Add the `--cipher-list` command line switch and `NODE_CIPHER_LIST` environment variable to completely override the default cipher list. Add the `--enable-legacy-cipher-list` and `NODE_LEGACY_CIPHER_LIST` environment variable to selectively enable the default cipher list from previous node.js releases. Reviewed-By: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/joyent/node/pull/14413 
Disable RC4 in the default cipher list

Add the `--cipher-list` command line switch and `NODE_CIPHER_LIST`
environment variable to completely override the default cipher list.

Add the `--enable-legacy-cipher-list` and `NODE_LEGACY_CIPHER_LIST`
environment variable to selectively enable the default cipher list from
previous node.js releases.

Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/14413
crypto: allow runtime opt in using SSLv2/SSLv3 2014-10-16T00:36:05+00:00 Timothy J Fontaine tjfontaine@gmail.com 2014-10-15T20:56:40+00:00 d601c76f4d728dd7adfa2fbbed2fe86de2e6b479 This change disables SSLv2/SSLv3 use by default, and introduces a command line flag to opt into using SSLv2/SSLv3. SSLv2 and SSLv3 are considered unsafe, and should only be used in situations where compatibility with other components is required and they cannot be upgrade to support newer forms of TLS. 
This change disables SSLv2/SSLv3 use by default, and introduces a
command line flag to opt into using SSLv2/SSLv3.

SSLv2 and SSLv3 are considered unsafe, and should only be used in
situations where compatibility with other components is required and
they cannot be upgrade to support newer forms of TLS.
crypto: improve memory usage 2014-05-15T21:33:08+00:00 Alexis Campailla alexis@janeasystems.com 2014-05-14T17:07:29+00:00 c06495713a95b40d28729e2211dc5a813611b2fe ClientHelloParser used to contain an 18k buffer that was kept around for the life of the connection, even though it was not needed in many situations. I changed it to be deallocated when it's determined to be no longer needed. Signed-off-by: Fedor Indutny <fedor@indutny.com> 
ClientHelloParser used to contain an 18k buffer that was kept around
for the life of the connection, even though it was not needed in many
situations. I changed it to be deallocated when it's determined to
be no longer needed.

Signed-off-by: Fedor Indutny <fedor@indutny.com>
src: seed V8's random number generator at startup 2014-03-26T07:31:32+00:00 Ben Noordhuis info@bnoordhuis.nl 2013-09-20T20:01:49+00:00 70f198ddb1ba464da97799f59ae9233320ecc49d The default entropy source is /dev/urandom on UNIX platforms, which is okay but we can do better by seeding it from OpenSSL's entropy pool. On Windows we can certainly do better; on that platform, V8 seeds the random number generator using only the current system time. Fixes #6250. NB: This is a back-port of commit 7ac2391 from the master branch that for some reason never got back-ported to the v0.10 branch. The default on UNIX platforms in v0.10 is different and arguably worse than it is with master: if no entropy source is provided, V8 3.14 calls srandom() with a xor of the PID and the current time in microseconds. That means that on systems with a coarse system clock, the initial state of the PRNG may be easily guessable. The situation on Windows is even more dire because there the PRNG is seeded with only the current time... in milliseconds. 
The default entropy source is /dev/urandom on UNIX platforms, which is
okay but we can do better by seeding it from OpenSSL's entropy pool.

On Windows we can certainly do better; on that platform, V8 seeds the
random number generator using only the current system time.

Fixes #6250.

NB: This is a back-port of commit 7ac2391 from the master branch that
for some reason never got back-ported to the v0.10 branch.

The default on UNIX platforms in v0.10 is different and arguably worse
than it is with master: if no entropy source is provided, V8 3.14 calls
srandom() with a xor of the PID and the current time in microseconds.

That means that on systems with a coarse system clock, the initial
state of the PRNG may be easily guessable.

The situation on Windows is even more dire because there the PRNG is
seeded with only the current time... in milliseconds.
tls: emit 'end' on .receivedShutdown 2013-12-10T18:56:01+00:00 Fedor Indutny fedor.indutny@gmail.com 2013-12-09T15:47:55+00:00 4a2792cd2f86403a71edf65d82600b6aad5713bf NOTE: Also removed `.receivedShutdown` method of `Connection` it wasn't documented anywhere, and was rewritten with `true` after receiving `close_notify`. fix #6638 
NOTE: Also removed `.receivedShutdown` method of `Connection` it wasn't
documented anywhere, and was rewritten with `true` after receiving
`close_notify`.

fix #6638
tls: reset NPN callbacks after SNI 2013-12-02T10:48:14+00:00 Fedor Indutny fedor.indutny@gmail.com 2013-11-22T14:33:50+00:00 9b8fcff43575592ace3d391ee47184f98ed755df SNI callback selects a new SSL_CTX for the connection, which doesn't have NPN callbacks set up. 
SNI callback selects a new SSL_CTX for the connection, which doesn't
have NPN callbacks set up.
tls: ignore .shutdown() syscall error 2013-05-28T16:14:44+00:00 Fedor Indutny fedor.indutny@gmail.com 2013-05-28T13:50:38+00:00 fa170dd2b241bc0f22f88071158686075c3b269e Quote from SSL_shutdown man page: The output of SSL_get_error(3) may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. Also, handle all other errors to prevent assertion in `ClearError()`. 
Quote from SSL_shutdown man page:

  The output of SSL_get_error(3) may be misleading,
  as an erroneous SSL_ERROR_SYSCALL may be flagged even though
  no error occurred.

Also, handle all other errors to prevent assertion in `ClearError()`.
crypto: remove unused ClientHelloParser field 2013-04-09T23:39:00+00:00 Ben Noordhuis info@bnoordhuis.nl 2013-04-09T23:38:59+00:00 eeb4c3216d9f57bbf404c56bab7b9221cfbf6ae9 






crypto: fix ssl error handling
2012-11-16T23:52:58+00:00

Sergey Kholodilov
serghol@gmail.com

2012-11-09T20:32:28+00:00

019ad346e0a9f1669a1e81b0ae3eb2e0f7e4ddd7

Make HandleSSLError() correctly process a zero status code: sometimes it
indicates an error and sometimes it doesn't.





Make HandleSSLError() correctly process a zero status code: sometimes it
indicates an error and sometimes it doesn't.