From b9283cf9d17a51f9654b438216ecb743ed69a7ce Mon Sep 17 00:00:00 2001 From: Timothy J Fontaine Date: Wed, 22 Oct 2014 10:27:56 -0700 Subject: tls: honorCipherOrder should not degrade defaults Specifying honorCipherOrder should not change the SSLv2/SSLv3 defaults for a TLS server. Use secureOptions logic in both lib/tls.js and lib/crypto.js --- lib/tls.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'lib/tls.js') diff --git a/lib/tls.js b/lib/tls.js index 392f7ad2b..adc8efa63 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -1239,11 +1239,16 @@ Server.prototype.setOptions = function(options) { if (options.secureProtocol) this.secureProtocol = options.secureProtocol; if (options.crl) this.crl = options.crl; if (options.ciphers) this.ciphers = options.ciphers; - var secureOptions = options.secureOptions || 0; + + var secureOptions = crypto._getSecureOptions(options.secureProtocol, + options.secureOptions); + if (options.honorCipherOrder) { secureOptions |= constants.SSL_OP_CIPHER_SERVER_PREFERENCE; } - if (secureOptions) this.secureOptions = secureOptions; + + this.secureOptions = secureOptions; + if (options.NPNProtocols) convertNPNProtocols(options.NPNProtocols, this); if (options.SNICallback) { this.SNICallback = options.SNICallback; @@ -1326,6 +1331,9 @@ exports.connect = function(/* [port, host], options, cb */) { }; options = util._extend(defaults, options || {}); + options.secureOptions = crypto._getSecureOptions(options.secureProtocol, + options.secureOptions); + var socket = options.socket ? options.socket : new net.Stream(); var sslcontext = crypto.createCredentials(options); -- cgit v1.2.1 From 69080f5474369fc7fc4be7ab74ad2e1619eb2fbc Mon Sep 17 00:00:00 2001 From: Timothy J Fontaine Date: Wed, 22 Oct 2014 12:14:10 -0700 Subject: tls: enforce secureOptions on incoming clients Reuse the secureProtocol and secureOptions of the server when creating the secure context for incoming clients. --- lib/tls.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'lib/tls.js') diff --git a/lib/tls.js b/lib/tls.js index adc8efa63..77a708921 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -1145,7 +1145,12 @@ function Server(/* [options], listener */) { // constructor call net.Server.call(this, function(socket) { - var creds = crypto.createCredentials(null, sharedCreds.context); + var connOps = { + secureProtocol: self.secureProtocol, + secureOptions: self.secureOptions + }; + + var creds = crypto.createCredentials(connOps, sharedCreds.context); var pair = new SecurePair(creds, true, -- cgit v1.2.1 From 523929c9272a53c9429616564a45f2af59670e47 Mon Sep 17 00:00:00 2001 From: Emmanuel Odeke Date: Wed, 22 Oct 2014 16:57:51 -0600 Subject: repl: Private Buffer object in lib/* files Fixes usage of global object 'Buffer' in lib/* files by ensuring that each file does an explicit require('buffer').Buffer. Previously, when running a repl, due to usage of global 'Buffer', any redefinition of Buffer would cause a crash eg var Buffer = {}. Fixes: https://github.com/joyent/node/issues/8588 PR-URL: https://github.com/joyent/node/pull/8603 Reviewed-by: Trevor Norris --- lib/tls.js | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/tls.js') diff --git a/lib/tls.js b/lib/tls.js index 77a708921..e3b908322 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -26,6 +26,7 @@ var url = require('url'); var events = require('events'); var stream = require('stream'); var assert = require('assert').ok; +var Buffer = require('buffer').Buffer; var constants = require('constants'); var Timer = process.binding('timer_wrap').Timer; -- cgit v1.2.1